Which Web APIs should we be looking at?

[gbaptista]

Currently we can identify and/or block the following Web APIs:

WebAPI	method	intercepted?	reported?	can be blocked?
EventTarget	removeEventListener	✅	❌	❌
EventTarget	addEventListener	✅	✅	✅
Battery Status	getBattery	✅	✅	✅
Fetch API	fetch	✅	✅	✅
Gamepad API	getGamepads	✅	✅	✅
Geolocation	getCurrentPosition	✅	✅	✅
Geolocation	watchPosition	✅	✅	✅
HTTP headers	User-Agent	✅	✅	✅
NavigatorID	userAgent	✅	✅	✅
Window	setInterval	✅	✅	✅
Window	setTimeout	✅	✅	✅
Window	requestAnimationFrame	✅	✅	✅
WebSocket	send	✅	✅	✅
XMLHttpRequest	open	✅	✅	✅
XMLHttpRequest	send	✅	✅	✅

Update: Including Battery Status, Gamepad API, HTTP headers and NavigatorID.
Update 2: Including requestAnimationFrame.

See more details at: What is detected?

Question: What other web APIs should we intercept?

Mozilla has incredible documentation on the various existing Web APIs: MDN: Web APIs

Ideally we could try to identify all. But this is not necessarily the best approach since some of them may not cause damage that would justify the block and would confuse even more on what to block or not.

I've been thinking about looking at these two:

• Beacon API

Requests are guaranteed to be initiated before a page is unloaded and they are run to completion.

When I leave the website, will you still collect data about me? why?

• Web Speech API

...which provides the ability to recognize voice context from an audio input...

Is it possible for a website to be transcribing my conversations when my microphone is enabled? 🤔

[Atavic]

SharedWorker, SharedWorkerGlobalScope and the likes. Why?

See the complete list of functions available to workers:

Broadcast Channel API and Channel Messaging API available in workers.

[Atavic]

Generic Sensor API: Security and privacy considerations

The leaking battery: A privacy analysis of the HTML5 Battery Status API [PDF]

Links found here.

[gbaptista]

@Atavic Great suggestions, thank you! I'm reading more about each one and creating the interceptions.

New ones that are available in version 0.0.22:

• User-Agent header and NavigatorID.userAgent: Used for fingerprint and tracking.

• getBattery, shared by @Atavic:

  The leaking battery: A privacy analysis of the HTML5 Battery Status API [PDF]

• Navigator.getGamepads: Some browsers can show how many USB ports your computer has, can be used for fingerprint.

More details: What is detected?

[Atavic]

Alphabetical list: https://github.com/mdn/browser-compat-data/tree/master/api

[DeronLJ]

If I had to vote for one, it would be window.requestAmimationFrame. I have encountered a few web sites with unneeded and poorly written animations that really slow things down.

You might want to take a look at the Web API Manager extension. The author no longer maintains it, but he has grouping of lite settings you could consider detecting by default. I used it before I came across Luminous.

[gbaptista]

@DeronLJ requestAmimationFrame is a good one! Detection added: Support for requestAnimationFrame() #115.

Available in version 0.0.28.

Thank you!