Origin Enforcer 作者: sje

This is what browsers are supposed to do by default. In a proper security model, users have control, and give permissions to the websites to perform background requests to third party servers flowing out of websites. Websites should declare what third parties they use, why, and who owns the domains. But they don't, and calls especially to google and facebook in many sites let them track you everywhere. Websites secretly are making huge numbers of calls with cookies to other places on the internet without you knowing at all.

Users should decide which third party domains are ok! For too long, corporations like google and facebook have undermined internet security and hacked the http protocol to bypass security controls and take away the privacy and security of internet users. They have intentionally violated the basics of user controlled sandbox security model for mass surveillance.

This plugin intends to restore the power to the user in deciding cross domain and third party calls from websites. Websites should only make calls back to themselves, a simple principal called 'single origin' that protects users against viruses, security concerns, and surveillance. In this cross origin sandbox, the websites need your permission to make cross domain calls.

Manage which calls are allowed in the interface. You can upvote domains you allow, or downvote them to. block them. By default, only calls back the websites own domain is allowed. This will break many sites by default. Good sites, like duckduckgo.com work fine. Terrible sites may not come up at all. Some sites may be missing images since they come from another domain. If you want to see blocked images, right click the image, choose inspect element, and see the src, which domain it is coming from. Then you can allow this domain. Some sites will need many third party domains to work unfortunately. This is a simple way to allow everything for each site. You can also choose allow everything except cookies for sites that do not have a login and have should have no need for cookies.

Unfortunately browsers and websites today have granted themselves control to make any calls to anybody with cookies. This is all done under the covers, in secret, and causes a plague of malware, security issues, flood of internet spam calls and mass surveillance. Websites insert tracking and third party cross domain calls without regard, and browsers blindly go ahead and make these calls in secret without consent of the user to enable mass surveillance.

Corporations such as Google (via chrome, android, plugins, etc) and Facebook (via facebook.com and plugins) intentionally violate basic principals of user ownership and control, spread fake plugins, create fake sandboxes, and undermined security and privacy without regard for basic security norms. It is our job to stop them! This plugin restores the basic right that users control what third parties can receive calls from any site. Sites should only call back to themselves... and no others. They should referencing third party software and scripts, not load them from third parties.

This plugin enforces these basic rules regardless of what the websites wants to do, and takes back the control to the user from the broken security model of the browsers and websites. It stops the dangerous and sloppy web coding practices. It also makes visible the sloppy mess of cross domain calls going on behind the scenes on so many websites, showing the shocking state of the situation, and showing what is going on behind the scenes in secret without any user consent.

At a minimum, this plugin will expose the problem, showing the huge number of calls to thirdparties. Any site using many third parties should be rejected. You can fine tune what calls are allowed, such as allowing some needed calls, but rejecting others like to facebook or google or ad services.