1

I created a small JavaScript application for which I reused some (quite large) JavaScript resources that I downloaded from the internet. My application runs in the browser like other interactive web applications but works entirely offline.

However, I intend to enter some private information in the application which it shall visualize. Since I cannot ultimately trust the JavaScript pieces that I downloaded, I wonder if there is a JavaScript option to make sure that no data is downloaded and, in particular, uploaded to the web.

Note that I am aware that I can cutoff the local internet connection or perhaps change browser settings or use an application firewall, but this would not be a solution that suits my needs. You may assume that the isolation of a browser instance is save, that is no other, possibly malicious, web sites can access my offline JavaScript application or the user data I enter. If there is a secure way to (automatically) review the code of the downloaded resources (e.g. because communication is possible only via a few dedicated JavaScript commands that I can search for) that would be an acceptable solution too.

highsciguy
  • 2,569
  • 3
  • 34
  • 59

2 Answers2

1

You should take a look at the Content Security Policy (CSP) (see here and here). This basically blocks every connection from your browser to any other hosts, unless explicitely allowed. Be aware that not all browsers support CSP, which leads to potential security problems.

Reviewing the library code might be difficult because there are many ways to mask such code pieces.

ssc-hrep3
  • 15,024
  • 7
  • 48
  • 87
  • Thanks, I did not know that. Concerning the review, could there be a chance to use machine code of some sort generated from the JavaScript to nail it down (e.g. if all JavaScript ways to communicate effectively boil down to a few specific library calls)? – highsciguy May 17 '18 at 08:47
1

Find it yourself by watching your browser's network activity while your application is in action.

There are more than enough tools to do this. Also, if you know how to use netstat command line tool, it is readily shipped with windows.

Here is one cool chrome extension which watches the traffic of the current tab.

https://chrome.google.com/webstore/detail/http-trace/idladlllljmbcnfninpljlkaoklggknp

enter image description here

And, here is another extension which can modify the selected traffic.

https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb?hl=en

You can set the filters and modify all requests/responses happening in your page.

If you want to write an extension to block requests yourself, check this answer out.

Charlie
  • 22,886
  • 11
  • 59
  • 90
  • Yes, that's an option I considered. Of course it is restricted in that it would be hard for me to test every condition that the application may possibly run into. I.e. the reused code may communicate only under specific circumstances that I fail to address when testing. – highsciguy May 17 '18 at 08:45
  • That doesn't tell you what code is actually causing the communication, though. – Cerbrus May 17 '18 at 08:51
  • @Cerbrus OP said that his code doesn't communicate. So, if he sees any log, it must be the libraries he uses. – Charlie May 17 '18 at 09:24
  • Yes, but what function in those libraries? – Cerbrus May 17 '18 at 09:28
  • Doesn't he have to make sure that a library is not communicating? So, he has his input whe he see an activity in the log - a library is comminicating. Besides, he can go to chrome's network tab and findout exactly where the request is originating from . – Charlie May 17 '18 at 09:32