đź…­

Embed a JavaScript CDN in your web browser with Decentraleyes

Decentraleyes is a browser extension for Mozilla Firefox and Google Chrome that acts as a Content Delivery Network (CDN) for popular JavaScript libraries right from within your browser. This reduces page load times and bandwidth costs as some popular libraries can be loaded from your device. It also reduces your reliance on potentially-privacy-worrisome external repositories of open-source libraries.

Decentraleyes is strictly speaking only useful if you’re bandwidth constrained or very worried for your privacy, but it’s a neat idea non the less.

Decentraleyes works by identifying liked resources from known content delivery networks and replacing them with links to the same version of the same JavaScript library from inside the extension. This causes the library to be loaded from inside the extension rather than fetched from the web. Decentraleyes ships with multiple versions of all the most popular open-source JavaScript libraries by default.

Before the page starts fetching external resources, such as JavaScript files, the links to external content networks known to Decentraleyes is rewritten to the same version of the same library stored inside the extension. No HTTP connections are ever made to the CDN when addresses can be successfully rewritten. This address rewriting causes the origin of the library to change, witch can be a problem on some secure websites.

Content-Security-Policy trouble

Meddling with the security of websites by an extension is understandably not allowed under Mozilla’s policies for extensions. The wording specifically says than an extension isn’t to “Degrade the security of HTTPS sites” nor “Create or expose security vulnerabilities”.

Content-Security-Policy (CSP) is a standard specifications that lets HTTPS websites allow-list a set of domains/origins from which the browser may load external content such as images and JavaScript. By changing the origin of a JavaScript library from a CDN that a website has allow-listed to an unknown origin, in this case to the extension’s own origin, the browser will enforce the Content-Security-Policy and block the library from being loaded.

This problem can’t be solved under Mozilla’s current extension policies of not weakening website security. Decentraleyes’ only option is to either block-and-don’t replace the library, which some users may find useful, or to allow the library to b loaded from the external CDN when it detects a strong Content-Security-Policy. Currently, this problem results in a few broken websites here and there when using Decentraleyes.

Update (): Version 2.0.0 has been completely rewritten using the Firefox WebExtension API. However, this problem remains unresolved — and now even more website use CSP and run into problems with Decentraleyes.

So, what is the privacy problem, anyway?

The privacy issue that Decentraleyes wants to fix is all about the referrer header. Like the issue I discussed last week, the HTTP referrer header can leak information about what websites you visit. A content distribution network receives requests from your web browser every time you visit any page that loads anything from them.

The most popular CDN providers thus receives a lot of signals about which webpages interest a user, even though the CDN is supposedly only providing hosting services.

It’s interesting to note that some of the free content delivery networks are provided by data brokers like Google and Baidu. EFF’s Privacy Badger extension automatically detects some of these CDNs as trackers and will automatically block them.

Decentraleyes as of version 1.3.8 supports many of the most popular open-source JavaScript libraries including Angular, Backbone, Dojo, Ember, ExtCore, jQuery, jQuery UI, Modernizr, Mootools, Prototype, script.aculo.us, SWFObject, Underscore, and Web Font Loader. Library substitution only takes place when they’re loaded from known content delivery networks including Google Hosted Libraries, Microsoft Ajax CDN, Cloudflare, jQuery CDN and jsDeliver (MaxCDN), Yandex CDN, and Baidu CDN.

I hope to see a resolution to the Content-Security-Policy problem, and to see a longer list of supported content delivery networks in future updates to Decentraleyes.