research-article

Public Access

Browser Feature Usage on the Modern Web

Authors:

Cynthia Taylor,

Chris KanichAuthors Info & Claims

IMC '16: Proceedings of the 2016 Internet Measurement Conference

Pages 97 - 110

https://doi.org/10.1145/2987443.2987466

Published: 14 November 2016 Publication History

Abstract

Modern web browsers are incredibly complex, with millions of lines of code and over one thousand JavaScript functions and properties available to website authors. This work investigates how these browser features are used on the modern, open web. We find that JavaScript features differ wildly in popularity, with over 50% of provided features never used on the web's 10,000 most popular sites according to Alexa

We also look at how popular ad and tracking blockers change the features used by sites, and identify a set of approximately 10% of features that are disproportionately blocked (prevented from executing by these extensions at least 90% of the time they are used). We additionally find that in the presence of these blockers, over 83% of available features are executed on less than 1% of the most popular 10,000 websites.

We further measure other aspects of browser feature usage on the web, including how many features websites use, how the length of time a browser feature has been in the browser relates to its usage on the web, and how many security vulnerabilities have been associated with related browser features.

References

[1]

Chromium blink mailing list discussion. https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/1wWhVoKWztY, 2014. {Online; accessed 15-February-2016}.

[2]

Chromium blink web features guidelines. https://dev.chromium.org/blink#new-features, 2016. {Online; accessed 15-February-2016}.

[3]

Acar, G., Eubank, C., Englehardt, S., Juarez, M., Narayanan, A., and Diaz, C. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (2014), ACM, pp. 674--689.

Digital Library

[4]

Adenot, P., Wilson, C., and Rogers, C. Web audio api. http://www.w3.org/TR/webaudio/, 2013.

[5]

Amalfitano, D., Fasolino, A. R., Tramontana, P., De Carmine, S., and Memon, A. M. Using gui ripping for automated testing of android applications. In Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (2012), ACM, pp. 258--261.

Digital Library

[6]

Apparao, V., Byrne, S., Champion, M., Isaacs, S., Hors, A. L., Nicol, G., Robie, J., Sharpe, P., Smith, B., Sorensen, J., Sutor, R., Whitmer, R., and Wilson, C. Document object model (dom) level 1 specification. https://www.w3.org/TR/REC-DOM-Level-1/, 1998. {Online; accessed 10-May-2016}.

[7]

Ayenson, M., Wambach, D. J., Soltani, A., Good, N., and Hoofnagle, C. J. Flash cookies and privacy ii: Now with html5 and etag respawning. Available at SSRN 1898390 (2011).

[8]

Balebako, R., Leon, P., Shay, R., Ur, B., Wang, Y., and Cranor, L. Measuring the effectiveness of privacy tools for limiting behavioral advertising. In Web 2.0 Security and Privacy Workshop (2012).

[9]

Bergkvist, A., Burnett, D. C., Jennings, C., Narayanan, A., and Aboba, B. Webrtc 1.0: Real-time communication between browser. https://www.w3.org/TR/webrtc/, 2016. {Online; accessed 10-May-2016}.

[10]

Black Duck Software Inc. The chromium (google chrome) open source project on open hub. https://www.openhub.net/p/chrome/analyses/latest/code_history, 2015. {Online; accessed 16-October-2015}.

[11]

Butkiewicz, M., Madhyastha, H. V., and Sekar, V. Understanding website complexity: measurements, metrics, and implications. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference (2011), ACM, pp. 313--328.

Digital Library

[12]

Cegłowski, M. The website obesity crisis. http://idlewords.com/talks/website_obesity.htm, 2015.

[13]

Dahlström, E., Dengler, P., Grasso, A., Lilley, C., McCormack, C., Schepers, D., and Watt, J. Scalable vector graphics (svg) 1.1 (second edition). http://www.w3.org/TR/SVG11/, 2011.

[14]

Deveria, A. Can i use. http://caniuse.com/. {Online; accessed 16-October-2015}.

[15]

Dorwin, D., Smith, J., Watson, M., and Bateman, A. Encrypted media extensions. http://www.w3.org/TR/encrypted-media/, 2015.

[16]

Eckersley, P. How unique is your web browser? In Privacy Enhancing Technologies (2010), Springer, pp. 1--18.

Digital Library

[17]

Falahrastegar, M., Haddadi, H., Uhlig, S., and Mortier, R. Anatomy of the third-party web tracking ecosystem. arXiv preprint arXiv:1409.1066 (2014).

[18]

Grigorik, I., Mann, J., and Wang, Z. Performance timeline level 2. https://w3c.github.io/performance-timeline/, 2016. {Online; accessed 11-May-2016}.

[19]

Grigorik, I., Mann, J., and Wang, Z. Ui events. https://w3c.github.io/uievents/, 2016. {Online; accessed 11-May-2016}.

[20]

Grigorik, I., Reitbauer, A., Jain, A., and Mann, J. Beacon w3c working draft. http://www.w3.org/TR/beacon/, 2015.

[21]

Hickson, I., Pieters, S., van Kesteren, A., Jägenstedt, P., and Denicola, D. Html: Channel messaging. https://html.spec.whatwg.org/multipage/comms.html#channel-messaging, 2016. {Online; accessed 10-May-2016}.

[22]

Hickson, I., Pieters, S., van Kesteren, A., Jägenstedt, P., and Denicola, D. Html: Plugins. https://html.spec.whatwg.org/multipage/webappapis.html#plugins-2, 2016. {Online; accessed 10-May-2016}.

[23]

Hors, A. L., Hegaret, P. L., Wood, L., Nicol, G., Robie, J., Champion, M., and Byrne, S. Document object model (dom) level 2 core specification. https://www.w3.org/TR/DOM-Level-2-Core/, 2000. {Online; accessed 10-May-2016}.

[24]

Hors, A. L., Hegaret, P. L., Wood, L., Nicol, G., Robie, J., Champion, M., and Byrne, S. Document object model (dom) level 3 core specification. https://www.w3.org/TR/DOM-Level-3-Core/, 2004. {Online; accessed 10-May-2016}.

[25]

Hors, A. L., Hegaret, P. L., Wood, L., Nicol, G., Robie, J., Champion, M., and Byrne, S. Web cryptography api. https://www.w3.org/TR/WebCryptoAPI/, 2014. {Online; accessed 11-May-2016}.

[26]

Jackson, D. Webgl specification. https://www.khronos.org/registry/webgl/specs/1.0/, 2014.

[27]

Jang, D., Jhala, R., Lerner, S., and Shacham, H. An empirical study of privacy-violating information flows in javascript web applications. In Proceedings of the 17th ACM conference on Computer and communications security (2010), ACM, pp. 270--283.

Digital Library

[28]

Kamkar, S. Evercookie - virtually irrevocable persistent cookies. http://samy.pl/evercookie/, 2015. {Online; accessed 15-October-2015}.

[29]

Kohno, T., Broido, A., and Claffy, K. C. Remote physical device fingerprinting. Dependable and Secure Computing, IEEE Transactions on 2, 2 (2005), 93--108.

Digital Library

[30]

Kostiainen, A. Vibration. http://www.w3.org/TR/vibration/, 2105.

[31]

Kostiainen, A., Oksanen, I., and Hazaël-Massieux, D. Html media capture. http://www.w3.org/TR/html-media-capture/, 2104.

[32]

Krishnamurthy, B., and Wills, C. Privacy diffusion on the web: a longitudinal perspective. In Proceedings of the 18th international conference on World wide web (2009), ACM, pp. 541--550.

Digital Library

[33]

Lamouri, M., and Cáceres, M. Screen orientation. http://www.w3.org/TR/screen-orientation/, 2105.

[34]

Lardinois, F. Google has already removed 8.8m lines of webkit code from blink. http://techcrunch.com/2013/05/16/google-has-already-removed-8--8m-lines-of-webkit-code-from-blink/, 2013. {Online; accessed 12-May-2016}.

[35]

Liu, B., Nath, S., Govindan, R., and Liu, J. Decaf: detecting and characterizing ad fraud in mobile apps. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14) (2014), pp. 57--70.

Digital Library

[36]

McDonald, A. M., and Cranor, L. F. Survey of the use of adobe flash local shared objects to respawn http cookies, a. ISJLP 7 (2011), 639.

[37]

Mowery, K., Bogenreif, D., Yilek, S., and Shacham, H. Fingerprinting information in javascript implementations. Proceedings of W2SP (2011).

[38]

Mowery, K., and Shacham, H. Pixel perfect: Fingerprinting canvas in html5. Proceedings of W2SP (2012).

[39]

Mozilla Developer Network. Object.prototype.watch() - javascript | mdn. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/watch. {Online; accessed 16-October-2015}.

[40]

Mulazzani, M., Reschl, P., Huber, M., Leithner, M., Schrittwieser, S., Weippl, E., and Wien, F. Fast and reliable browser identification with javascript engine fingerprinting. In Web 2.0 Workshop on Security and Privacy (W2SP) (2013), vol. 5.

[41]

Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., and Vigna, G. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In IEEE Symposium on Security and Privacy (2013).

Digital Library

[42]

Olejnik, L., Minh-Dung, T., Castelluccia, C., et al. Selling off privacy at auction. In Annual Network and Distributed System Security Symposium (NDSS). IEEE (2014).

[43]

Pieters, S., and Glazman, D. Css object model (css-om). https://www.w3.org/TR/cssom-1/, 2016. {Online; accessed 10-May-2016}.

[44]

Pujol, E., Hohlfeld, O., and Feldmann, A. Annoyed users: Ads and ad-block usage in the wild. In IMC (2015).

Digital Library

[45]

Rader, E. Awareness of behavioral tracking and information privacy concern in facebook and google. In Proc. of Symposium on Usable Privacy and Security (SOUPS), Menlo Park, CA, USA (2014).

[46]

Reavy, M. Webrtc privacy. https://mozillamediagoddess.org/2015/09/10/webrtc-privacy/, 2015. {Online; accessed 11-May-2016}.

[47]

Rogoff, Z. We've got momentum, but we need more protest selfies to stop drm in web standards. https://www.defectivebydesign.org/weve-got-momentum-but-we-need-more-protest-selfies, 2016. {Online; accessed 11-May-2016}.

[48]

Russell, A. Doing science on the web. https://infrequently.org/2015/08/doing-science-on-the-web/, 2015.

[49]

Soltani, A., Canty, S., Mayo, Q., Thomas, L., and Hoofnagle, C. J. Flash cookies and privacy. In AAAI Spring Symposium: Intelligent Information Privacy Management (2010), vol. 2010, pp. 158--163.

[50]

Sorensen, O. Zombie-cookies: Case studies and mitigation. In Internet Technology and Secured Transactions (ICITST), 2013 8th International Conference for (2013), IEEE, pp. 321--326.\newpage

[51]

The MITRE Corporation. CVE-2013-0763. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0763, 2013. {Online; accessed 13-November-2015}.

[52]

The MITRE Corporation. CVE-2014--1577. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--1577, 2014. {Online; accessed 13-November-2015}.

[53]

The MITRE Corporation. Common vulnerabilities and exposures. https://cve.mitre.org/index.html, 2015. {Online; accessed 13-November-2015}.

[54]

Turner, D., and Kostiainen, A. Ambient light events. http://www.w3.org/TR/ambient-light/, 2105.

[55]

Van Goethem, T., Joosen, W., and Nikiforakis, N. The clock is still ticking: Timing attacks in the modern web. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (2015), ACM, pp. 1382--1393.

Digital Library

[56]

van Kesteren, A. Encoding standard. https://encoding.spec.whatwg.org/, 2016. {Online; accessed 11-May-2016}.

[57]

van Kesteren, A. Xmlhttprequest. https://xhr.spec.whatwg.org/, 2016. {Online; accessed 10-May-2016}.

[58]

van Kesteren, A., and Hunt, L. Selectors api level 1. https://www.w3.org/TR/selectors-api/, 2013. {Online; accessed 10-May-2016}.

[59]

Vasilyev, V. fingerprintjs2. https://github.com/Valve, 2015.

[60]

World Wide Web Consortium (W3C). All standards and drafts. http://www.w3.org/TR/, 2015. {Online; accessed 16-October-2015}.

[61]

Zaninotto, F. Gremlins.js. https://github.com/marmelab/gremlins.js, 2016.

Cited By

Wang JQian PHuang XYing XChen YJi SChen JXie JLiu LChristakis MPradel M(2024)Tacoma: Enhanced Browser Fuzzing with Fine-Grained Semantic AlignmentProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680351(1174-1185)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680351
Kowalczyk KSzandala T(2024)Enhancing SEO in Single-Page Web Applications in Contrast With Multi-Page ApplicationsIEEE Access10.1109/ACCESS.2024.335574012(11597-11614)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3355740
Phung PVarghese AWang BZhao YYu C(2024)JSMBox—A Runtime Monitoring Framework for Analyzing and Classifying Malicious JavaScriptSoftware and Data Engineering10.1007/978-3-031-75201-8_8(100-122)Online publication date: 19-Oct-2024
https://doi.org/10.1007/978-3-031-75201-8_8
Show More Cited By

Index Terms

Browser Feature Usage on the Modern Web

Recommendations

Classifying web sites
WWW '07: Proceedings of the 16th international conference on World Wide Web

In this paper, we present a novel method for the classification of Web sites. This method exploits both structure and content of Web sites in order to discern their functionality. It allows for distinguishing between eight of the most relevant ...
Browser wars: Metaphor, Web browser, Microsoft, Internet Explorer, Netscape, Netscape Navigator, Mozilla Firefox, Google Chrome, Safari (web browser), Opera (web browser), Usage share of web browsers
Coarse-grained classification of web sites by their structural properties
WIDM '06: Proceedings of the 8th annual ACM international workshop on Web information and data management

In this paper, we identify and analyze structural properties which reflect the functionality of a Web site. These structural properties consider the size, the organization, the composition of URLs, and the link structure of Web sites. Opposed to ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '16: Proceedings of the 2016 Internet Measurement Conference

November 2016

570 pages

ISBN:9781450345262

DOI:10.1145/2987443

General Chairs:
Phillipa Gill
University of Massachusetts--Amherst
,
John Heidemann
USC/ISI
,
Program Chairs:
John W. Byers
Boston University
,
Ramesh Govindan
USC

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 November 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

IMC 2016

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC 2016: Internet Measurement Conference

November 14 - 16, 2016

California, Santa Monica, USA

Acceptance Rates

IMC '16 Paper Acceptance Rate 48 of 184 submissions, 26%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
1,180
Total Downloads

Downloads (Last 12 months)203
Downloads (Last 6 weeks)36

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang JQian PHuang XYing XChen YJi SChen JXie JLiu LChristakis MPradel M(2024)Tacoma: Enhanced Browser Fuzzing with Fine-Grained Semantic AlignmentProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3680351(1174-1185)Online publication date: 11-Sep-2024
https://dl.acm.org/doi/10.1145/3650212.3680351
Kowalczyk KSzandala T(2024)Enhancing SEO in Single-Page Web Applications in Contrast With Multi-Page ApplicationsIEEE Access10.1109/ACCESS.2024.335574012(11597-11614)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3355740
Phung PVarghese AWang BZhao YYu C(2024)JSMBox—A Runtime Monitoring Framework for Analyzing and Classifying Malicious JavaScriptSoftware and Data Engineering10.1007/978-3-031-75201-8_8(100-122)Online publication date: 19-Oct-2024
https://doi.org/10.1007/978-3-031-75201-8_8
Snyder PKarami SEdelstein ALivshits BHaddadi HCalandrino JTroncoso C(2023)Pool-partyProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620634(7091-7105)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620634
Sanchez-Rola IBilge LBalzarotti DBuesche AEfstathopoulos PCalandrino JTroncoso C(2023)Rods with laser beamsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620470(4157-4173)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620470
Su JKapravelos A(2023)Automatic Discovery of Emerging Browser Fingerprinting TechniquesProceedings of the ACM Web Conference 202310.1145/3543507.3583333(2178-2188)Online publication date: 30-Apr-2023
https://dl.acm.org/doi/10.1145/3543507.3583333
Castell-Uroz IFukuda KBarlet-Ros P(2023)ASTrack: Automatic Detection and Removal of Web Tracking Code with Minimal Functionality LossIEEE INFOCOM 2023 - IEEE Conference on Computer Communications10.1109/INFOCOM53939.2023.10228902(1-10)Online publication date: 17-May-2023
https://doi.org/10.1109/INFOCOM53939.2023.10228902
Więckowski JParadowski BKizielewicz BShekhovtsov ASałabun W(2023)An Application of MCDA Methods in Sustainable Information SystemsNeural Information Processing10.1007/978-981-99-1645-0_31(377-388)Online publication date: 14-Apr-2023
https://doi.org/10.1007/978-981-99-1645-0_31
Liew KLam WLam WTeh K(2023)Evaluation of the Preference of Web Browsers Among Undergraduates Using AHP-TOPSIS ModelProceedings of Third International Conference on Sustainable Expert Systems10.1007/978-981-19-7874-6_62(851-861)Online publication date: 23-Feb-2023
https://doi.org/10.1007/978-981-19-7874-6_62
Bahrami PIqbal UShafiq Z(2022)FP-Radar: Longitudinal Measurement and Early Detection of Browser FingerprintingProceedings on Privacy Enhancing Technologies10.2478/popets-2022-00562022:2(557-577)Online publication date: 3-Mar-2022
https://doi.org/10.2478/popets-2022-0056
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents