⚠️ This is a hobby project and might not provide good protection. Do not rely on it for professional phishing protection.

Browser extension blocking websites the user has not opened before.

The goal of this extension is to help protect against phishing attacks and against accidental typos when typing a URL. Users should however still be vigilant when opening links. This extension might not protect against all attacks, might be disabled in certain situations (e.g. in a Firefox private window, without the extension being enabled for Private Browsing), and might not be installed on all devices of the user.

Every time the user opens a new website, the extension checks if the user has opened the website before (i.e. if it is a 'known site' to the user). If this is not the case, loading of the website is blocked and a warning page is shown. On that page the user is informed that they have not opened the website before. They then have the choice to open the website, or to go to previous website / close the tab. When the user choses to open the website, this choice is temporarly stored, and additionally because the browser adds it to the history, it will be considered 'known' next time; see the sections below.

An icon in the browser toolbar indicates that the extension is active; it can be removed if desired (Firefox documentation).

A website is considered 'known' to the user if any of the following applies:

• the browser history contains an entry with the same domain
• a browser bookmark with the same domain exists

The extension uses the Public Suffix List (possibly a slightly outdated version) for obtaining the domain. This avoid false positives when the content for the domain and all its subdomains is created by the domain owner, but at the same time differentiates between subdomains when their content is user controlled.

• For this extension to work properly, the browser should be configured to record the browsing history (active by default, see related Firefox settings). Because this extension itself does not persistently store information about 'known' websites, it might otherwise consider all websites unknown the next time the browser is opened.
• This extension only checks websites opened as top-level documents in tabs; it does not check content included in <iframe>, content loaded in the background (e.g. scripts or stylesheets) or images.

• Chrome Desktop (Incognito mode is not supported)
• Firefox Desktop

Other browsers might not support all features needed by this extension.

1. In Visual Studio Code press Ctrl + Shift + B, or alternatively run in the terminal:

   npm run watch

   This will start watching changes in the TypeScript sources, compiles and bundles them.

2. In a separate terminal, run:

   npm run debug-firefox

   This will launch a development browser Firefox browser and automatically apply changes made to the extension resources.

3. In the development Firefox browser, open about:debugging. See the Extension Workshop documentation for more information.

It is recommended to use Visual Studio Code for development.

For manual testing instructions, see Manual testing.

npm run package

This will create the packaged extension under ./web-ext-artifacts.

• Implementation based on HTTPS Everywhere
• npm packages:
  • lru-cache: Cache implementation used for domain cache
  • psl: JavaScript API around the Public Suffix List
  • punycode: Punycode domain decoding
• Bootstrap Icons