Introducing QuaranTab: Companion extension to quarantine tabs so you can safely use them offline with private data<p>I find myself wanting to use online format parsers to quickly decode that production JWT or decode a base64 Authorization header but cannot trust these websites to not leak my information. I thought to myself if only I could cut-off network access to this site, use it offline, and then throw away all browsing data. So I created an extension just for that.<p>It uses Firefox contextual identities API (Containers) to isolate browsing data and inter-tab communication. Once the site is fully loaded, I then inject bogus proxy settings for any requests leaving that container to effectively cut-off network access. And once I'm done, I simply delete the Container.<p>Use Cases:<p>* Parse a live JWT token<p>* Convert a Base64 Authorization header<p>* Hash a password<p>* Parse a Protobuf message<p>* Submit my name and birthdate to estimate my date of death<p>Check out the MIT source code on GitHub [1] and install QuaranTab from the Firefox store [2]. If anyone is interested in a discussion, I'd love to chat about:<p>1. Any ideas on how we could implement this in Chromium? Using private window as a "Container"?<p>2. Can you come up with an exploit? I posted a 100usd bug bounty [3] if you find one!<p>3. Is there any way to prove an extension in the store was built from source in GitHub? I am imagining some kind of third-party escrow service managing the Firefox store account and building from specific public git repository.<p>1. <a href="https://github.com/matusfaro/quarantab">https://github.com/matusfaro/quarantab</a><p>2. <a href="https://addons.mozilla.org/en-US/firefox/addon/quarantab/" rel="nofollow noreferrer">https://addons.mozilla.org/en-US/firefox/addon/quarantab/</a><p>3. <a href="https://github.com/matusfaro/quarantab#bug-bounty">https://github.com/matusfaro/quarantab#bug-bounty</a>
We have our first bug bounty!<p>Thank you "dz2742" for finding out [1] existing connections including websockets are not terminated and has won 100 USD! This is exactly the type of exploit I was hoping to catch.<p>Now I have to figure out how to fix that :) And also think about refilling the bug bounty pool without becoming very poor very soon.<p><a href="https://github.com/matusfaro/quarantab/issues/2">https://github.com/matusfaro/quarantab/issues/2</a>
Cool idea! I don't really picture myself using this, but I think this add-on is a great example of how great a browser Firefox is. I'd be the first to critique Mozilla, and there are definitely things about Firefox I don't like (ex. Pocket, telemetry on by default), but overall I think it's an amazing product in that it allows for multiple levels of isolation (profiles, containers, private mode) and a level of control over them that Chromium either doesn't do as cleanly or doesn't do at all. As an aside, the only thing I think Chromium does better is the debugging experience; I don't truly understand why Firefox thinks it shouldn't support debugging Node.js like Chromium does.
Many of the use cases mentioned are available through a single tool called CyberChef.<p>There is an online version [1] but it doesn't submit any data to any servers. It only loads JS for the operations it needs to perform.<p>You can also download it and run it offline [2]. This is what I do.<p>I'll leave it up to you to decide if this makes QuaranTab unnecessary or if it's the perfect reason to use QuaranTab.<p>[1] <a href="https://gchq.github.io/CyberChef/" rel="nofollow noreferrer">https://gchq.github.io/CyberChef/</a><p>[2] <a href="https://github.com/gchq/CyberChef/releases/">https://github.com/gchq/CyberChef/releases/</a>
Interesting project! Off the top of my head I guess it would be a larger addition since this is currently using built-in Firefox features for isolation, but recording/caching requests that are made during the initial load in order to "freeze" a website until the user chooses to update would make this more useful.<p>If you do want to go down that route, using the blocking `webRequest` to record responses and stick them into storage and then re-serve them from the cache would possibly be the best way to go about it. At that point though I'd probably advise seeing if you could get off of `<all_urls>` as a required permission? And I haven't ever played with blocking network requests for websockets, so I'm not sure if they'd require separate handling.<p>Just a thought. But regardless, thanks for sharing :)
> 3. Is there any way to prove an extension in the store was built from source in GitHub? I am imagining some kind of third-party escrow service managing the Firefox store account and building from specific public git repository.<p>This is (in theory) part of Mozilla's review process, and depending on how the extension is submitted they can (I've heard) be fairly strict about it. But it's not user-facing at all and I don't know how universally they review source code.<p>It really needs to be fixed from Mozilla's end though; I don't see much reason to get a 3rd-party involved instead of to lobby Mozilla to add some kind of process on its own that's more prominent. A 3rd-party verification service would be possible (you'd just download the extension from Mozilla's servers and extract it, re-run the build process and check to see if the artifacts matched), and in theory you could even have a completely separate extension store from Mozilla's -- as long as the extensions are signed you can host them anywhere, and there's nothing preventing you from getting other extensions built from source signed. You could have a pseudo-F-Droid addon store that distributed Mozilla-signed extensions you've pulled from Git and built yourself.<p>But... I mean, I just feel like it's something we should lobby Mozilla to do, they're in the best position to do it and in the best position to have the most impact if they do.
While I applaud your effort and thinking of privacy issues, I will continue to do these in a terminal and Python REPL for all the reasons you bring up.<p>It would certainly be nice to get something ala F-droid for free software extensions like yours (which guarantees source code matches built package IIRC), as a response to your question 3.<p>I am sure one can create an alternative extensions store in FF and change some config in about:config to use it, though it's likely non-trivial.
> Submit my name and birthdate to estimate my date of death<p>Totally off topic, but curious how this works? Nationality and life expectancy? Sex at birth? Assassins for hire?
Cool add on! Thanks for this. It's a use case I've often thought about, for the purposes you mention. I wish there was a built in permission to disable AJAX after page load. Bad for ads, I guess.<p>2. Exploit idea (not trying for the bounty, just thinking aloud). I wonder if a website could play background music (or a video) with stenographically encoded data, then another tab could listen to it with microphone permissions on and decode it that way. I'm thinking like a fake video conferencing site, or malicious telephony how-to doc that deals with API calls and such and links to a fake password hasher that then plays the audio for the first tab to hear. Convoluted, I know, just an idea.
A (user-unfriendly-but-workable) solution for chromium is Devtools->Network->Network Conditions->Offline, then clear all storage and cache after you're done.<p>This only works if you have one tab of this website, since tabs of the same website can message each other (and exfiltrate data).<p>Also useful for debugging frontend bugs in "destructive" operations in production :)
I wonder how far you could get in accomplishing the same thing by setting a Content Security Policy (CSP) [1] on the page.<p>[1] <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP" rel="nofollow noreferrer">https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP</a>
You can add to your uses cases a web viewer for MRI/CT scan results <a href="https://madacol.github.io/ozempic-dicom-viewer/" rel="nofollow noreferrer">https://madacol.github.io/ozempic-dicom-viewer/</a>
I use and recommend <a href="https://flathub.org/apps/com.github.liferooter.textpieces" rel="nofollow noreferrer">https://flathub.org/apps/com.github.liferooter.textpieces</a>
that's a nice idea<p>the same way you can silence the sound output of a tab you should have as simple and reliable a tool to stop communication to either the network, os or both.<p>i'd love a tool to see which tabs are talking with each other also