Browser Feature Usage on the Modern Web

Modern web browsers are incredibly complex, with millions of lines of code and over one thousand JavaScript functions and properties available to website authors. This work investigates how these browser features are used on the modern, open web. We find that JavaScript features differ wildly in popularity, with over 50% of provided features never used on the web's 10,000 most popular sites according to Alexa We also look at how popular ad and tracking blockers change the features used by sites, and identify a set of approximately 10% of features that are disproportionately blocked (prevented from executing by these extensions at least 90% of the time they are used). We additionally find that in the presence of these blockers, over 83% of available features are executed on less than 1% of the most popular 10,000 websites. We further measure other aspects of browser feature usage on the web, including how many features websites use, how the length of time a browser feature has been in the browser relates to its usage on the web, and how many security vulnerabilities have been associated with related browser features.

[1]  Jonathan Robie,et al.  Document Object Model (DOM) Level 2 Specification , 1998 .

[2]  C. Peng,et al.  SCALABLE VECTOR GRAPHICS (SVG) , 2000 .

[3]  Arnaud Le Hors,et al.  Document Object Model (DOM) Level 2 Core Specification - Version 1.0 , 2000 .

[4]  J. Robie,et al.  Doc-ument object model (DOM) level 3 core specification , 2004 .

[5]  Anneli Folkesson,et al.  World Wide Web Consortium (W3C) , 2005 .

[6]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[7]  Balachander Krishnamurthy,et al.  WWW 2009 MADRID! Track: Security and Privacy / Session: Web Privacy Privacy Diffusion on the Web: A Longitudinal Perspective , 2022 .

[8]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[9]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[10]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy , 2009, AAAI Spring Symposium: Intelligent Information Privacy Management.

[11]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning , 2011 .

[12]  Vyas Sekar,et al.  Understanding website complexity: measurements, metrics, and implications , 2011, IMC '11.

[13]  Hovav Shacham,et al.  Fingerprinting Information in JavaScript Implementations , 2011 .

[14]  Lorrie Faith Cranor,et al.  A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies , 2011 .

[15]  R. Shay,et al.  Measuring the Effectiveness of Privacy Tools for Limiting Behavioral Advertising , 2012 .

[16]  Porfirio Tramontana,et al.  Using GUI ripping for automated testing of Android applications , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[17]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[18]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[19]  Boris Smus Web Audio API , 2013 .

[20]  E. Weippl,et al.  Fast and Reliable Browser Identification with JavaScript Engine Fingerprinting , 2013 .

[21]  O. Sørensen Zombie-cookies: Case studies and mitigation , 2013, 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013).

[22]  Steve Uhlig,et al.  Anatomy of the Third-Party Web Tracking Ecosystem , 2014, ArXiv.

[23]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[24]  Emilee J. Rader,et al.  Awareness of Behavioral Tracking and Information Privacy Concern in Facebook and Google , 2014, SOUPS.

[25]  Jie Liu,et al.  DECAF: Detecting and Characterizing Ad Fraud in Mobile Apps , 2014, NSDI.

[26]  Claude Castelluccia,et al.  Selling Off Privacy at Auction , 2014, NDSS 2014.

[27]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[28]  Anja Feldmann,et al.  Annoyed Users: Ads and Ad-Block Usage in the Wild , 2015, Internet Measurement Conference.