https://www2.w3c-test.org/console/console-count-logging-manual.html

test suite info:
http://web-platform-tests.org
https://github.com/w3c/web-platform-tests
https://developer.mozilla.org/en-US/docs/Mozilla/QA/web-platform-tests
https://chromium.googlesource.com/chromium/src.git/+/master/docs/testing/web_platform_tests.md
https://github.com/MicrosoftEdge/web-platform-tests

https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/runtime/onMessage

Cannot sign in to github.com even when all "blocked standards" are cleared.
It works only if I disable WAM extension.

Cheers

Can you add additional info by which "Blocked standard" something was blocked.
Otherwise, it is quite hard to find out what needs to be un-checked in the settings to restore functionality.

Thank you
Cheers

even with an empty blocking set…

I think Navigator.prototype.getBattery should just be Navigator.getBattery

https://www2.w3c-test.org/battery-status
https://www.w3.org/TR/battery-status/

Code like the below can cause an infinite loop

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <title>Testing Infinite Loop Case</title>
    </head>
    <body>
        <div id="example-div">
            <p>A child node</p>
        </div>
        <script>
            // For testing when "Selectors API Level 1" is being blocked.
            const exampleDiv = document.querySelector("example-div");
            let childNode = exampleDiv.childNode;
            let nextSibling;

            // Will be stuck in an infinite loop, as nextSibling will keep
            // returning the blockign proxy.
            while (childNode) {
                nextSibling = childNode.nextSibling;
                exampleDiv.removeChild(childNode);
                childNode = nextSibling;
            }
        </script>
        <script>
            // This will only trigger if the above infinite loop is broken.
            const elementToInsert = document.createElement("div");
            elementToInsert.className = "success-case";
            document.body.appendChild(elementToInsert);
        </script>
    </body>
</html>

Is there a setting which causes this error msg?

To comment on reddit and watch a video on YouTube I had to change a few settings on the aggressive preset. Just putting them out here for reference. You may want a link in the add-on to come to the github page and a link to the wiki if you decide on using it :)

YouTube seemed to need all of these:
uncheck CSSOM View Module
uncheck File API
uncheck Fullscreen API
uncheck HTML: Web Storage
uncheck Media Source Extensions

uncheck Selection API (couldn't comment on reddit)

And I went ahead and checked these two because I don't need them:
check Service Workers
check Vibration API

Firefox 57 on Windows
Fresh clean profile with only WAM installed, all FF settings at default.

If any blocking rule (just only one is enough) is checked, then this page https://groups.google.com/forum/#!forum/ddawson-addonssupport is blank.

If all blocking rules are cleared (is WAM disabled or not installed), then it loads just fine.

Cheers

Would be handy to have a measurement mode, that logs all the functionality that is used on the page, w/o blocking it

Would be nice if users just want to block subsets of a standard, even if the UI was rough

https://wicg.github.io/webusb/#idl-index

Some of the feature keypaths still have the old moz prefixes. They're not needed anymore

I like the concept behind that preference though I can't have both this extension and that Firefox pref enabled.

I have a page that gets this error even if I clear all "blocked standards":

The page isn’t redirecting properly
Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
This problem can sometimes be caused by disabling or refusing to accept cookies.

From log:
[HTTP/1.1 302 Moved Temporarily]

The only way making it work is to disable WAM,

If would like not to reveal URL here.

Firefox returns a Promise, Chrome wants a callback, need to figure out a way to account for both.

It would be helpful to sync the settings across browsers.

I was looking around and what I've read is Firefox does not support the File API but made their own API called DeviceStorageAPI controlled by about:config pref device.storage.enabled (defaulted to false).

Blog post from 2012 https://hacks.mozilla.org/2012/07/why-no-filesystem-api-in-firefox/

Now, this add-on does cause problems with YouTube if the File API is blocked, so it must be blocking something in Firefox that does indeed follow the File API, though I don't know what the device.storage.enabled pref for their homegrown API does.

There is a non-trivial amount of stuff is going on in cookieencoding.js, and it'd be good to have unit test to make sure stuff doesn't slip backwards

WAM does not seem to be compatible with containerized tabs (Firefox Multi-Account Containers https://addons.mozilla.org/en-GB/firefox/addon/multi-account-containers/)

In the console it is showing Unable to find the Web API Manager settings for when a tab is containerized. It might be another drawback due to the cookie approach of WAM

The following origins are execiting…

For two or more domains which share the same setup (a non default setup),
I think it would be better to set the rule as follows:

*.abc.net,*.xyz.org,*.foo.com,*.bar.com

That means the "pattern" field needs to be an array of domains.

[
	{
		"pattern":[
			"*.abc.net",
			"*.xyz.org",
			"*.foo.com",
			"*.bar.info"
		],
		
		"standards":[
			"Ambient Light Sensor API",
			"Battery Status API",
			"Beacon",
			......
		]
	}
]
]

Thank you so much for this exceptional extension !

This can totally be closed but I was wondering -with uMatrix's grid layout, if you decide to adapt a subscription and per-site control, if it would be easier to manage with a different layout.

Esp. When dealing with third party content

https://w3c.github.io/push-api/

https://w3c.github.io/speech-api/webspeechapi.html

https://www.khronos.org/registry/webgl/specs/latest/2.0/

WebAPI manager v0.9.13
Config: all clear

I use keeweb (self-hosted) as my password manager for some time and I'm having issue with your latest version.

My keeweb is opened in a browser's tab. I copy my credentials from there.

Copy by clicking on the username item = FAIL
Copy by clicking on the password item = FAIL
Copy username using keyboard shortcut (Ctrl+B) = FAIL
Copy password using keyboars shortcut (Ctrl+C) = SUCCESS

The examples at https://clipboardjs.com/ work however. I have to disable this extension to copy my credentials.

Would be nice if *.example.com matched example.com

Would need to make sure it was anonymous, didn't collect URLs (only aggregate statistics) and in general was respectful to users.

Would need a lot of discussion / planning to make right, but don't want to loose the discussion from issue #24

The following CSP keeps the injected script from executing…

default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src https: data: blob:; connect-src https: data: blob:; font-src https: data:; img-src https: data: blob:; media-src https: data: blob:; object-src https:; script-src https: data: blob: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'; block-all-mixed-content; upgrade-insecure-requests; report-uri https://capture.condenastdigital.com/csp/pitchfork

On the setting page we have DOM Level 4, but in the console log this is W3C DOM4

Cheers

I saw this msg on https://forum.xda-developers.com

I think it's from a 1st party script from the search company they use, algolia.net but can't tell much else.

https://forum-lw-1.xda-cdn.com/clientscript/algolia/js/search.js?v=1511529156

https://w3c.github.io/webvr/spec/1.1/#idl-index

It would be nice if, at some point, you could have check boxes beside each API to also pop-up a little notification with an alert that "Battery API was allowed/blocked for example.com."

Something that came up faded away after 2 or 3 seconds. It would kinda give the use an idea of what's popular on sites and I think it could help visualize how they're used without jumping to the console.

Some URLs (ex the start page in firefox) don't allow the extension to inject script. This means that the extension can't determine how many origins are on the current page (even though there is only one).

Would be good to correct this text, to just make the "The following origins are execiting code on this page." text less confusing in situations were we can't determine which origins are executing

https://w3c.github.io/payment-request/

...\content_scripts\dist\standards.js .. idenitifer .. is that meant to be "identifier" (and calls to it elsewhere?). I know its not a typo, because it's used 74 times

      "info": {
         "name": "XMLHttpRequest",
         "subsection_number": null,
         "subsection_name": null,
         "url": "https://xhr.spec.whatwg.org/",
         "idenitifer": "XMLHttpRequest"
      },

Only works for an existing domain…

It would be essential to have import/export possibility in the settings, otherwise is pain to copy the config to other computer.

Cheers

Re #27

If the blocking script exits early because there are no standards to block on the page, then it doesn't remove itself from the page. It should remove itself from the page either way

interesting extension - if the developers are not aware, you might also want to look at http-useragent-cleaner which offers some similar functionality - it's legacy and the UI is bad, but maybe there is something to be gained from it's code regarding development of API Manager

i don't know how useful this would be most people, but i think it would certainly be useful to anyone using a custom configuration (ghacks user.js) to display the browser preference name(s) that correspond to the items in the blocked standards list (where applicable) so that these prefs could be reset if the user would rather control this functionality dynamically with API Manager on a per-domain basis

i think it might also be good to link the browser preference name to (in the case of FF for instance) the Moz KB page (kb.mozillazine.org) since it offers a more usable and general description verses many of the current "info" links

fooling with yet another extension in addition to a user.js, uBO, uM, etc., is less than desirable, but if it can eventually make some of this other privacy/security stuff obsolete, then i think it would be attractive to more people

thanks guys

Steps to reproduce:

• add www.chase.com
• clear all www.chase.com settings
• load www.chase.com in a new window
• browser becomes unresponsive, requires force quit

Quoting from the author:

"We evaluated our extension with two hardened browser configurations, and found that blocking 15 of the 74 standards avoids 52.0% of code paths related to previous CVEs, and 50.0% of implementation code identified by our metric, without affecting the functionality of 94.7% of measured websites."

Please, I have the following simple questions:

1. What does it mean in quantitative terms for the real word? In other words: How many security/privacy attacks occur today in the real world (based in APIs exploits/malwares/virus/hackers etc)?
   I ask for 3 reasons: a) I don't see adds-on or security software worrying about APIs; b) I can measure the risk of exploits/malwares/virus/ransomware/hackers etc, but I don't have quantitative info about API security breaches; and c) WebApiManager is a must for privacy. But I still don't understand the size of security benefits (for the real world). Obviously I understand that attacks could happen trough APIs. My point is that I don't know if today this is happening often or rarely.

2. Even in the hypothetical case that today API security breaches are not often in quantitative terms for the real world, what about the future? It could be a trend? Are attackers trending to use APIs for hacking etc?

3. Does WebApiManager increase browser performance? Decrease? No changes?

Thank you very much!

That global pattern does not seem to be working, on 'default' is showing in the blocking rules pop-up.

To me the meaning of "Blocking of functionality across all domains, with a fallback, "default" blocking rule." is not not quite clear. How is 'default' a fallback, a fallback for what?

From my perspective it would make sense to start with a global rule blocking everything by default and then being able to dynamically ease (pop-up from the toolbar button) the rules for each domain needing relaxed rules, rather then tediously setting rules manually for each domain. For such dynamic setting there should be a general option to reload the page when new (relaxed) settings a applied.

Would be a nice option, similar to what uBlock and Privacy Badger have