Modern websites heavily rely on JavaScript (JS) to implement legitimate functionality as well as privacy-invasive advertising and tracking. Browser extensions such as NoScript block any script not loaded by a trusted list of endpoints, thus hoping to block privacy-invasive scripts while avoiding breaking legitimate website functionality. In this paper, we investigate whether blocking JS on the web is feasible without breaking legitimate functionality. To this end, we conduct a large-scale measurement study of JS blocking on 100K websites. We evaluate the effectiveness of different JS blocking strategies in tracking prevention and functionality breakage. Our evaluation relies on quantitative analysis of network requests and resource loads as well as manual qualitative analysis of visual breakage. First, we show that while blocking all scripts is quite effective at reducing tracking, it significantly degrades functionality on approximately two-thirds of the tested websites. Second, we show that selective blocking of a subset of scripts based on a curated list achieves a better tradeoff. However, there remain approximately 15% `mixed` scripts, which essentially merge tracking and legitimate functionality and thus cannot be blocked without causing website breakage. Finally, we show that fine-grained blocking of a subset of JS methods, instead of scripts, reduces major breakage by 3.7$\times$ while providing the same level of tracking prevention. Our work highlights the promise and open challenges in fine-grained JS blocking for tracking prevention without breaking the web.
翻译:现代网站严重依赖JavaScript(JS)来实现合法功能,同时也依赖其实现侵犯隐私的广告和追踪。诸如NoScript之类的浏览器扩展会阻止不受信任端点列表加载的任何脚本,以期在避免破坏合法网站功能的同时拦截侵犯隐私的脚本。本文研究在网络上阻止JS是否能在不破坏合法功能的情况下实现。为此,我们对100K网站上的JS拦截进行了大规模测量研究。我们评估了不同JS拦截策略在追踪预防与功能破坏方面的有效性。评估基于对网络请求和资源加载的定量分析,以及对视觉破坏的定性分析。首先,我们表明,虽然拦截所有脚本在减少追踪方面相当有效,但在约三分之二的测试网站上会显著降低功能。其次,我们表明,根据精心筛选的列表选择性拦截脚本子集可达到更好的权衡。然而,仍有约15%的“混合”脚本,它们本质上融合了追踪与合法功能,因此无法在不破坏网站的情况下被拦截。最后,我们表明,对JS方法子集(而非脚本)进行细粒度拦截,可将主要破坏减少3.7倍,同时提供同等级别的追踪预防。我们的工作突显了细粒度JS拦截在预防追踪而不破坏网络方面的前景与开放性挑战。