browser.md

APIs

• A site to test the interaction of web APIs and browser permissions.
• https://web.dev/new-patterns-for-amazing-apps
• https://blog.stackblitz.com/posts/introducing-webcontainers
• https://github.com/NOtherDev/whatwebcando
• https://github.com/samdutton/simpl
• How to Get Around Newspaper Paywalls in 2019
• Trying out and demonstrating different browser APIs
• https://github.com/deebloo/things-you-can-do-in-a-web-worker
• This repo contains a non exhaustive list of less-known features implemented in browsers today.
• new MutationObserver()
• https://github.com/AurelioDeRosa/HTML5-API-demos
• https://blog.greenroots.info/10-lesser-known-web-apis-you-may-want-to-use-ckejv75cr012y70s158n85yhn
• https://formidable.com/blog/2020/resize-observer
• https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web + https://twitter.com/webkit/status/1318256785447211009
• https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html
• https://iandunn.name/2019/11/29/minimal-cachestorage-cache-api-example
• https://stackoverflow.com/questions/16808486/explanation-of-window-performance-javascript
• https://www.smashingmagazine.com/2021/01/web-expose-hardware-capabilities
• https://engineering.q42.nl/passwordless-authentication
• Proposal for an API which would allow grabbing a screenshot.
• https://www.vector-logic.com/blog/posts/on-request-animation-frame-and-embedded-iframes
• https://wolfgangrittner.dev/how-to-use-clipboard-api-in-firefox
• https://github.com/azu/url-cheatsheet
• https://www.macarthur.me/posts/navigating-the-event-loop
• https://richiemccoll.com/javascript-scheduling

Bookmarklet

• Open in Gmail

javascript: (() =>
  (window.location.href = `https://mail.google.com/mail/?view=cm&fs=1&tf=1&[email protected]&su=${document.title}&body=${window.location.href}`))();

• Speed controls
• https://github.com/Blumed/make-bookmarklets
• https://github.com/marcobiedermann/awesome-bookmarklets
• Find out which element is scrolling.
• Performance-Bookmarklet helps to analyze the current page through the Resource Timing API, Navigation Timing API and User-Timing - requests by type, domain, load times, marks and more. Sort of a light live WebPageTest.
• https://www.secjuice.com/make-your-own-custom-osint-bookmarklet-tools-part-ii
• https://emanuelduss.ch/2020/06/humble-book-bundle-download-bookmarklet
• world smallest office suite
• Bookmarklets for sending emails and adding todo items
• https://www.farai.xyz/notes/tech-tips/please-archive-content
• https://github.com/ThomasOrlita/awesome-bookmarklets
• Script Kit. Automate Anything
• https://ryangjchandler.co.uk/posts/bookmarklets-you-should-definitely-be-using
• Read premium articles for free
• https://knowler.dev/blog/open-in-codesandbox-bookmarklet
• https://github.com/t-mart/kill-sticky
• Linter for Responsive Images
• https://jojo.io/posts/bookmarklets-speed
• Get your Kindle highlights out of the cloud and onto your computer + https://alan.norbauer.com/articles/bookcision
• https://github.com/jakecreps/osint-bookmarklets
• https://eriksolsen.com/blog/dynamic-bookmarks-in-google-chrome
• https://gabrielsroka.github.io/webpages/bookmarklets.htm
• https://github.com/satisfice/web-testing-bookmarklets

Document Object Model (DOM)

• Common tasks of managing HTML DOM with vanilla JavaScript
• https://github.com/mikewest/deprecating-document-domain
• https://danlevy.net/you-may-not-need-axios
• Everything you (n)ever wanted to know about touch and pointer events
• https://labs.detectify.com/2016/12/08/the-pitfalls-of-postmessage
• https://chrisrng.svbtle.com/using-url-createobjecturl
• POST data to the server even inside onbeforeunload, etc where XHR/fetch isn't reliable.
• Async DOM listeners
• .dom is a tiny (512 byte) template engine that uses virtual DOM and some of react principles.
• https://www.malgol.com/how-to-reload-an-iframe-in-javascript
• Avoid appending to innerHTML
• https://github.com/Schepp/async-document.write
• https://hachibu.net/posts/2020/keyboard-events-tldr
• bypass document.write
• https://css-tricks.com/using-abortcontroller-as-an-alternative-for-removing-event-listeners
• https://benfrain.com/building-a-table-of-contents-with-active-indicator-using-javascript-intersection-observers
• What is document.domain?
• appending multiple elements to the DOM?
• Find out which element is scrolling + https://twitter.com/funkensturm/status/1222616188485799937
• is there a way to debug dom events in a timeline?
• A zero friction custom elements like primitive.
• DOM event data scraped from MDN
• https://workspaceupdates.googleblog.com/2021/05/Google-Docs-Canvas-Based-Rendering-Update.html + https://news.ycombinator.com/item?id=27129858
• https://whistlr.info/2020/understanding-load
• DOM Traversing and Scraping using GraphQL
• Collection of functions used for DOM manipulations
• Fire mouse events when a user intends it
• https://github.com/0xGodson/blogs/blob/master/_posts/2022-07-21-art-of-dom-clobbering.md
• https://github.com/cms/domready
• https://github.com/mgp/book-notes/blob/master/advanced-dom-scripting.markdown
• https://frontendmasters.com/blog/vanilla-javascript-todomvc
• A simple method to invoke a function after the browser has rendered & painted a frame
• https://www.macarthur.me/posts/options-for-removing-event-listeners
• https://www.macarthur.me/posts/when-dom-updates-appear-to-be-asynchronous
• random overflowing element
• https://blog.andri.co/022-should-i-use-ecode-or-ekey-when-handling-keyboard-events
• https://noncombatant.org/2017/11/07/problems-of-urls

new IntersectionObserver()

• Using the Intersection Observer web API to improve performance.
• Intersection Observer by Kevin Powell
• https://github.com/snewcomer/intersection-observer-admin
• https://ryanmulligan.dev/blog/sticky-header-scroll-shadow

new MutationObserver()

• syntax-fm-sticky-show-notes.user.js

new URL()

• ? vs #
• https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse + https://twitter.com/ankit_anubhav/status/1592109955641126912

new Worker()

• Why don't we just move all JS to a web worker? + https://docs.google.com/document/d/1nu0EcVNC3jtmUVWL8Gs5eCj2p_984kamNhG2nS9gOC0/edit#heading=h.e6n21l1n04rc
• Is ServiceWorker intended to be a SharedWorker that works offline?
• https://github.com/delapuente/service-workers-101
• Tips for working with ServiceWorker
• ServiceWorker Testing made easy
• https://dev.to/thepassle/the-mental-gymnastics-of-service-worker-257g
• https://github.com/dominiccooney/Service-Worker-Performance
• https://jychp.medium.com/how-to-bypass-cloudflare-bot-protection-1f2c6c0c36fb + https://twitter.com/XssPayloads/status/1376382674173112320
• https://github.com/offlinefirst/research
• https://souporserious.com/bundling-workers-for-npm
• Measure cpu cache size client side in Javascript
• https://dagster.io/blog/web-workers-performance-issue
• https://github.com/astoilkov/main-thread-scheduling
• Stuff I wish I'd known sooner about service workers
• https://philipwalton.com/articles/smaller-html-payloads-with-service-workers
• https://blog.persistent.info/2021/08/worker-loop.html
• load modules into web workers, access them asynchronously
• monitoring tool to implement client-side caching

Engine

• https://dev.to/lydiahallie/javascript-visualized-the-javascript-engine-4cdf
• https://github.com/a0viedo/demystifying-js-engines
• https://zon8.re/posts/v8-chrome-architecture-reading-list-for-vulnerability-researchers
• https://zon8.re/posts/jsc-architecture-reading-list-for-vulnerability-researchers + https://zon8.re/posts/jsc-internals-part1-tracing-js-source-to-bytecode
• Notes and resources related to V8 and thus Node.js performance.
• https://github.com/hex13/javascript-visual-explanations#javascript-engines
• https://deepu.tech/memory-management-in-v8
• https://twitter.com/awesomekling/status/1314552767021813760
• https://github.com/danbev/learning-v8
• https://github.com/danbev/learning-libuv
• https://www.cyberark.com/resources/threat-research-blog/the-mysterious-realm-of-javascriptcore
• a very small v8 javascript runtime for linux only
• https://mrale.ph/v8/resources.html
• V8 sandbox
• https://docs.google.com/presentation/d/1NVyRgitg-2CyN3BuoZZF6F-Dw8PuDybFjkFICAyYPHo
• Part 1 covers V8 internals such as objects, properties, and memory optimizations
• Building Chrome V8 on Windows
• Bun? Deno? Node.js? Creating your own JavaScript Runtime using V8, Libuv and more
• https://github.com/eatonphil/one-pass-code-generation-in-v8
• https://github.com/wdv4758h/awesome-jit
• https://github.com/mgaudet/SpiderMonkeyBibliography

Exploit

• Awesome list of browser exploitation tutorials
• Browser Exploitation - LiveOverflow
• Browser logic vulnerabilities DB
• Microsoft Edge (Chromium) - EoP via XSS to Potential RCE
• Software-based Side-Channel Attacks and Defenses in Restricted Environments (PhD thesis)
• https://www.ryanpickren.com/webcam-hacking + https://twitter.com/domenic/status/1245871443729985536
• Building a 1-day Exploit for Google Chrome
• https://github.com/qazbnm456/awesome-cve-poc
• https://github.com/allpaca/chrome-sbx-db
• https://googleprojectzero.blogspot.com/p/0day.html
• https://github.com/SpiralBL0CK/Browser-Pwning-
• https://github.com/StarCrossPortal/bug-hunting-101
• https://github.com/nccgroup/exploit_mitigations
• https://github.com/cezary-sec/awesome-browser-security + https://m.youtube.com/playlist?list=PLuHcjpINS_OJntoGxRu0FEju5ak0yE_46
• Practical Exploitation of Math.random on V8

Extension

• Extension source viewer
• https://github.com/jxnl/youtube-summary-chrome
• A new tab page extension with material design and useful features
• https://github.com/OsaSoft/youtube-better-subscriptions
• Uncovering a crazy privilege escalation from Chrome extensions + https://twitter.com/deryilz/status/1724506569973416282
• https://github.com/msfrisbie/spy-extension + https://mattfrisbie.substack.com/p/spy-chrome-extension
• Encrypt Gmail with PGP
• Check how trackable you are based on your browser extensions
• https://ninoseki.github.io/2020/05/16/browser-extension.html
• decide which cookies you want and don’t want, auto-accepts cookie pop-ups for you, and warns you whenever it finds a website not respecting your preferences
• https://github.com/ryanckulp/twitter_ad_blocker
• The browser extension framework
• Skip youtube video sponsors
• Chrome Extension for one click downloading all resources files and keeping folder structures
• A Chrome extension that adds a 3d photo effect to instagram pages
• Firefox addon for passively detecting GPS Exif information in JPEGs
• Whisper & GPT-based app for passing remote SWE interviews
• adds back "View Image" button to Google Image Search results
• https://github.com/Pondorasti/nextjs-chrome-extension
• JShelter controls the APIs provided by the browser, restricting the data that they gather and send out to websites
• https://github.com/Correia-jpv/ChatGPT-Enhanced-Conversation-History
• Identify technology on websites.
• https://github.com/aeksco/react-typescript-chrome-extension-starter
• https://robertheaton.com/2018/05/07/making-youtube-less-bad-for-you-using-css
• https://mmazzarolo.com/blog/2019-01-13-another-tab
• https://github.com/olsh/Feedly-Notifier
• https://github.com/emragins/chrome-azure-devops
• A keyboard interface to the web, inspired by Kakoune
• https://github.com/acorn/twitter-bookmarks-search
• https://github.com/Kiwka/urban-dictionary-chrome-extension
• Generate a .sketchpalette file from any dribbble shot's color palette to be loaded in Sketch-Palette plugin.
• Puts an RSS/Atom subscribe button back in URL bar
• https://www.amie-chen.com/blog/making-paid-extension
• https://www.notion.so/Day-4-The-Danger-of-Chrome-Extensions-af93b84006ed48c18b807f512b6c0a07
• Reader Mode
• https://www.onaralili.com/posts/maliciousbrowserextension + https://www.onaralili.com/posts/browser-extension-threat-modeling
• SplitUp! is a browser extension allows a user to split tabs into a different window, save session, export tabs, supports multiple screens, dark mode etc.
• https://github.com/learn-anything/firefox-extensions
• https://github.com/learn-anything/chrome-extensions
• https://github.com/stefanbuck/awesome-browser-extensions-for-github
• https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo
• An HTTP Web Server for Chrome (chrome.sockets API)
• https://github.com/janodvarko/webext-websocket-monitor
• Chromebook app for forwarding connections from/to different ports and interfaces (or to internal android IP)
• Custom keyboard shortcuts
• Discover hidden debugging parameters and uncover web application secrets
• augments your ChatGPT prompts with web results
• https://github.com/pandawing/node-chrome-web-store-item-property
• https://github.com/infokiller/web-search-navigator
• Browser Extension to full-text search your browsing history & bookmarks.
• Open Graph Preview - How people will see your site in the most popular social networks
• Open New Tab, and write down every piece of your thought!
• https://shubhapradha.github.io/30daybookmarks
• https://chrome.google.com/webstore/detail/seo-search-simulator-by-n/edfjfgjklednkencfhnokmkajbgfhpon
• Browser extension to find SVGs on a webpage and download or copy to clipboard
• https://chrome.google.com/webstore/detail/earth-view-from-google-ea/bhloflhklmhfpedakmangadcdofhnnoh
• A browser extension to quickly fill shopping carts with electronic components
• https://github.com/joachimesque/humanstxt-webextension
• Image to text chrome extension + https://youtu.be/27vNfF-K52c
• Chrome extension to minimize the UI of YouTube.
• I am wondering why es modules are not well supported when building @ChromiumDev extensions?
• 😷 A browser extension that puts masks on faces on the internet.
• An extension to check if .git is exposed in visited websites.
• SourceKit for Safari is a browser extension for GitHub, that enables IDE features on your browser such as symbol navigator, go to definition and documentation on hover.
• Zoom Redirector is a browser extension that transparently redirects any meeting links to use Zoom's browser based web client.
• A Chrome extension static analysis tool to help aide in security reviews: repo + blog post
• https://thehackerblog.com/kicking-the-rims-a-guide-for-securely-writing-and-auditing-chrome-extensions/index.html
• https://github.com/theajack/disable-devtool
• Be able to use developer tools again
• IE Tab exactly emulates IE by using the IE rendering engine directly within Chrome.
• Browser extension that replaces the new tab page with Anki flashcards
• A tool that transforms Firefox browsers into a penetration testing suite
• https://github.com/aaronjanse/dns-over-wikipedia
• https://github.com/makaroni4/youtube_time_tracker
• VoiceFiller Speech To Text for Website Forms
• Google Chrome Extension. Record All Browsing in Screenshots & Full Text.
• A Chrome extension to provide a QR code of the current Page Url.
• Core Web Vitals Chrome extension measures: Largest ContentFull Paint, First Input Delay, Cumulative Layout Shift
• https://github.com/vinothsparrow/iframe-broker + https://github.com/Sjord/messpostage
• WorldBrain's Memex: Bookmarking for the power users of the web
• A Firefox add-on to strip Google search results of 'blacklisted' URLs
• Follow blogs, wikis, YouTube channels, as well as accounts on Twitter, Instagram, etc. from a single page.
• Puppeteer recorder is a Chrome extension that records your browser interactions and generates a Puppeteer script.
• Keyboard glee for your web.
• Hunt the most starred projects on any date on GitHub.
• Google Chrome translation extension.
• Awesome Screenshot Minus
• https://zonksec.com/blog/chrome-extension-to-detect-fake-tweets
• Instant Data Scraper extracts data from web pages and exports it as Excel or CSV files
• https://chrome.google.com/webstore/detail/mercury-reader/oknpjjbmpnndlpmnhmekjpocelpnlfdi
• https://www.i-dont-care-about-cookies.eu
• Search the information available on a webpage using natural language instead of an exact string match
• https://chromeextensionkit.com + https://news.ycombinator.com/item?id=24423023
• Chrome extension that helps you learn a language without even trying.
• Really simple and secure ads blocking for Chrome
• https://mmazzarolo.com/blog/2020-08-29-jira-express
• Chrome extension to track the activities of your favorite web novels + https://github.com/l-lin/wn-tracker-api
• https://github.com/jiripospisil/chrome-ext-downloader
• Create modern cross-browser extensions with no build configuration
• Posta is a tool for researching Cross-document Messaging communication. It allows you to track, explore and exploit postMessage vulnerabilities, and includes features such as replaying messages sent between windows within any attached browser.
• A boilerplate project to quickly build a Chrome extension using TypeScript and React (built using webpack).
• Screenity is a feature-packed screen and camera recorder for Chrome
• Manage tabs, bookmarks, your browser history
• Transform all your mailto and tel link in a beautiful modal with more possibilities! Open directly Gmail, Outlook and Yahoo for emails; Telegram, WhatsApp or Skype for phone numbers.
• https://github.com/iamadamdev/bypass-paywalls-chrome + https://github.com/iamadamdev/bypass-paywalls-firefox
• The missing star history graph of github repos
• Extension to block Service Workers registration in Chrome
• Chrome Extension to export all accessible cookies of the current Tab
• Spectroscope, identifies resources which are exempt from default protections enabled in Google Chrome (Cross-Origin Read Blocking, SameSite cookies) and which can be embedded cross-site.
• https://github.com/juanlizarazo/a-better-linkedin-chrome-extension
• Firefox Voice is a browser extension that allows you to give voice commands to your browser + https://news.ycombinator.com/item?id=24040539
• ArchiveFox is a Firefox extension developed to use ArchiveBox without leaving the browser.
• https://github.com/dkthehuman/extension-starter-kit
• Between Simplified Chinese (ZH-CN or GB2312) and Traditional Chinese (ZH-TW or BIG5)
• https://github.com/giuseppeg/is-nextjs-site-extension
• Track changes in a specific tab and get a notification when something happens
• A Chrome Extension to export all words from a Memrise course to a CSV file.
• Chrome extension that allows you to monitor, browse and filter all DOM changes.
• Chrome extension for easily manipulating URL query parameters, written in Elm.
• WebExtension that adds ability search all your bookmarked tweets!
• DuckDuckGo Privacy Essentials
• https://charliegerard.dev/project/dark-mode-clap-extension
• https://parsiya.net/blog/2021-04-30-testing-extensions-in-chromium-browsers-nordpass + https://twitter.com/CryptoGangsta/status/1388253367395225602
• Chrome extension recommends local businesses while shopping on Amazon or eBay + https://news.ycombinator.com/item?id=27086582
• Firefox extension for a button that temporarily disables your proxy settings (Quick Proxy Toggle)
• Chrome extension that will help Romanian driving license learners to pass their exam.
• https://news.ycombinator.com/item?id=27327892 + Many temptations of an open-source chrome extension developer
• https://github.com/raxod502/github-email-backlog
• Find secrets that leak into JavaScript, as well as sensitive files exposed like like .git or .env + https://trufflesecurity.com/blog/trufflehog-the-chrome-extension
• Kanban style New Tab Page extension with your bookmarks and powerful search
• https://github.com/NekitCorp/chrome-extension-svelte-typescript-boilerplate
• I wanted to see how much time I was spending on each website and set limits for certain ones.
• Forces Apple docs to open in Objective-C + https://twitter.com/dimitarnestorov/status/1280734520891912192
• A tweak that enables iOS safari to load chrome extensions
• https://github.com/mhadidg/refined-linkedin-feed
• This extension attempts to make Google Images look and feel like it did before they changed everything on August 6th, 2019
• ClearURLs is an add-on based on the new WebExtensions technology and will automatically remove tracking elements from URLs to help protect your privacy
• web surfing copilot by enhancing your browsing history, improving your web exploration experience, and integrating with your knowledge base
• A High-Fidelity Web Archiving Extension for Chrome and Chromium based browsers
• https://github.com/albertz/chrome-ext-google-takeout-downloader
• https://github.com/eloquence/freeyourstuff.cc
• https://github.com/felladrin/linkedin-autoconnect-chrome-extension
• A blazing fast & offline frontend playground
• https://github.com/ffmpegwasm/chrome-extension-app
• https://github.com/gordalina/gmail-unsubscribe
• Add support for a StreamDeck to Google Meet using WebHID
• https://github.com/mattchep/bofa-allow-paste-extension
• https://github.com/jsjoeio/timezoner-extension
• Fill in login forms using an OpenPGP-enabled smart card
• Import .ics files into Google Calendar with only two clicks
• https://github.com/Anarios/return-youtube-dislike
• https://github.com/tombaranowicz/BetterNewTab
• Export Google Chrome bookmarks into markdown files
• Sign transactions with your private keys securely from within the browser without ever exposing them
• https://github.com/zach-adams/downloads-overwrite-already-existing-files
• https://dexonline.ro/static/download/dex-ff.xpi + https://addons.mozilla.org/ro/firefox/addon/dexonline
• https://github.com/jemmaissroff/natgeo-chrome-extension
• Test your fonts across the web by easily overriding fonts on any webpage
• https://github.com/ansh/bionic-reading
• https://github.com/elight/slack_emoticon_inhaler
• Browser extension that adds a table of contents to GitHub repos, wikis and gists
• Translate Japanese by hovering over words
• Remove the algorithmic content from Twitter, hide news & trends, lets you control which shared tweets appear on your timeline
• Automatically fill out cookie popups based on your preferences
• Search the textual content of any YouTube video
• Chrome extension to detect possible xsleaks
• https://addons.mozilla.org/en-US/firefox/addon/firefox-translations + https://blog.mozilla.org/en/mozilla/local-translation-add-on-project-bergamot
• A browser extension to display ChatGPT response alongside Google Search results + https://news.ycombinator.com/item?id=33853773
• https://github.com/0xdevalias/chrome-NewWindowWithTabsToRight
• https://github.com/Norfeldt/github-issue-reactions-browser-extension
• Firefox extension to highlight and save text from the web
• A browser extension to detect website censorship methods as you surf
• removes ads and unwanted content from your LinkedIn feed
• https://github.com/lapcat/SafariExtensions
• Ensure paste isn’t blocked on any textbox: https://github.com/jswanner/DontF-WithPaste, https://underpassapp.com/StopTheMadness
• Firefox 115 can silently remotely disable my extension on any site
• Changes your User-Agent header to throw off tracking
• A browser extension that redirects popular sites to alternative privacy friendly frontends
• https://cascaspace.substack.com/p/optimizing-performance-how-our-extension
• https://github.com/da2x/amp2html

Chrome

• https://github.com/Eloston/ungoogled-chromium
• https://kayce.basqu.es/portfolio
• When testing your redirects with Chrome, always test a 302 before a 301
• https://github.com/jbranchaud/til#chrome
• Create HAR files from Chrome Debugging Protocol data.
• Output a video file from screenshot frames within a Chrome DevTools JSON trace file.
• This tool downloads, installs, and configures a shiny new copy of Chromium.
• Harden your Chrome browser via enterprise policy.
• https://blittle.github.io/chrome-dev-tools + https://github.com/blittle/chrome-dev-tools
• Extract relative urls from a heap snapshot
• A tool to capture communication between Chromium processes on Windows in real-time using Wireshark, by capturing data sent over named pipes.
• Hidden Features of Chrome DevTools
• https://www.mattzeunert.com/2016/03/17/devtools-never-pause-here.html
• The feature was launched as AMP Stories, which has now been rebranded to Web Stories.
• https://github.com/IAIK/ChromeZero
• Web Captioner makes your event, speech, classroom lecture, or church service accessible with real-time captioning.
• How to get sites you use daily out of your browser
• Getting Started With Chrome DevTools Protocol
• https://github.com/ip2k/I-Dont-Care-About-HSTS-For-Localhost

Brave

• https://rudism.com/the-brave-browser-is-brilliant
• https://github.com/iharh/notes/tree/master/security/tracking

Firefox

• https://madaidans-insecurities.github.io/firefox-chromium.html
• making Firefox stop polluting your Burp session with superfluous requests + https://twitter.com/egyp7/status/1196497265743056898
• An ongoing comprehensive user.js template for configuring and hardening Firefox privacy, security and anti-fingerprinting.
• Listing changes in Firefox default preferences. The diffs are created using 64-bit Firefoxes (en-US) on Windows.
• https://blog.mozilla.org/data/2020/03/16/understanding-default-browser-trends
• https://honzajavorek.cz/blog/how-i-consume-content
• https://timvisee.com/blog/firefox-tricks-quantumbar
• https://nelsonslog.wordpress.com/2021/12/07/firefox-compat-hacks
• https://nelsonslog.wordpress.com/2021/12/22/faking-geolocation-in-firefox
• Separate Firefox Dark UI theme from website dark mode
• https://github.com/MrOtherGuy/firefox-csshacks

Federated Credential Management API (FedCM)

• https://textslashplain.com/2023/04/12/auth-flows-in-a-partitioned-world

Contact Picker API

• https://evilmartians.com/chronicles/dont-wait-lets-use-browser-contact-picker-api-now

Geolocation API

• https://daniel.fone.net.nz/blog/2020/09/14/geolocation-api-demo

Historic

• https://webinista.com/updates/flash-end-of-life + https://twitter.com/mattmay/status/1344728355912880129 + http://blog.archive.org/2020/11/19/flash-animations-live-forever-at-the-internet-archive
• Last publicly available revision of the world's first web browser
• https://brucelawson.co.uk/2022/ie-rip-or-brb
• Comparison of Web Browsers
• History of Web Browser Engines from 1990 until today

Safari

• In my app when a user clicks play, I remove all audio elements, swap them with fresh ones, and attempt to autoplay for the user. + https://github.com/cableready/audio_operations
• https://predr.ag/blog/debugging-safari-if-at-first-you-succeed
• Safari releases are development hell

Staybl

• A browser for Parkinson’s patients, with “customizable tremor compensation tremor compensation, high-contrast design, a particularly legible font, and general ease of use.”

Opera

• Standalone client for proxies of Opera VPN
• https://medium.com/@renwa/opera-browser-vpn-bypass-20877aaf08c0

Cookie

• SameSite=Lax
• https://www.troyhunt.com/promiscuous-cookies-and-their-impending-death-via-the-samesite-policy
• https://blog.reconless.com/samesite-by-default
• Stealing Session Cookies with Tcpdump
• How to Store Session Tokens in a Browser (and the impacts of each)
• https://rudism.com/cookie-monster
• Browser fingerprinting via favicon!
• Exploring the SameSite cookie attribute for preventing CSRF
• https://github.com/defaultnamehere/cookie_crimes
• https://jub0bs.com/posts/2021-01-29-great-samesite-confusion
• https://github.com/iangcarroll/cookiemonster
• https://github.com/SoheilKhodayari/same-site-wiki + https://twitter.com/Soheil__K/status/1526970587083681792
• https://blog.daviddworken.com/posts/same-site-cross-origin
• cookie tossing leading to session fixation

IndexDB

• https://patrickbrosset.com/articles/2023-01-17-web-storage
• https://twitter.com/tgroshon/status/1332499610192015362
• https://just-be.dev/posts/export-import-indexeddb
• https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15
• Why IndexedDB is slow and what to use instead
• Offline storage, improved. Wraps IndexedDB, WebSQL, or localStorage using a simple but powerful API.
• Parses Indexeddb files - used to extract devtools console history
• https://tantaman.com/2022-05-13-large-local-storage.html
• https://github.com/stars/jnv/lists/storage

Federated Learning of Cohorts

• https://seirdy.one/2021/04/16/permissions-policy-floc-misinfo.html
• https://brave.com/why-brave-disables-floc + brave/brave-core#8468
• https://dev.to/sgolovine/opt-your-netlify-vercel-or-github-pages-site-out-of-google-s-floc-network-3nhl
• https://amifloced.org
• https://make.wordpress.org/core/2021/04/18/proposal-treat-floc-as-a-security-concern
• https://plausible.io/blog/google-floc
• https://vivaldi.com/blog/no-google-vivaldi-users-will-not-get-floced
• https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network + https://twitter.com/tomayac/status/1383337100041359365
• https://spreadprivacy.com/block-floc-with-duckduckgo

Content Security Policy (CSP)

• https://twitter.com/manicode/status/1371849647468208130
• https://twitter.com/mikewest/status/1370394397267869699
• Next level anti-debugging technique using SourceMappingURL feature
• https://github.com/nico3333fr/CSP-useful
• https://csper.io/blog/other-csp-security
• https://www.secjuice.com/hiding-javascript-in-png-csp-bypass + https://twitter.com/Menin_TheMiddle/status/1244325611440615426
• https://tldrsec.com/blog/content-security-policy-going-from-idea-to-afterthought
• https://sensepost.com/blog/2021/from-500-to-account-takeover + https://twitter.com/XssPayloads/status/1376389308207226881
• https://twitter.com/blipsofadoug/status/1125223582974533633
• https://threatnix.io/blog/exploiting-csp-in-webkit-to-break-authentication-authorization
• https://www.bryanbraun.com/2021/08/10/allowing-inline-scripts-in-your-content-security-policy-using-a-hash
• https://octagon.net/blog/2022/05/29/bypass-csp-using-wordpress-by-abusing-same-origin-method-execution
• Discover new target domains using Content Security Policy
• https://github.com/naugtur/CSP-exercise
• Monorepo for CSP-related packages
• XSS with CSP bypass leads to diagrams backdoor in jgraph/drawio + https://huntr.dev/bounties/4c1c5db5-210f-4d7e-8380-b95f88fdb78d
• https://engineering.linkedin.com/blog/2023/enhancing-security-and-developer-productivity--linkedin-s-journe

Cross-origin resource sharing (CORS)

• https://github.com/monsur/enable-cors.org
• https://www.kitploit.com/2019/12/corstest-simple-cors-misconfiguration.html
• Authenticated CORS with Access-Control-Allow-Origin: *
• https://github.com/RUB-NDS/CORStest
• https://ieftimov.com/post/deep-dive-cors-history-how-it-works-best-practices
• https://github.com/onsecru/cors_playground
• Cache your CORS, for performance & profit
• https://jeffy.info/2019/07/22/exposing-cors-headers.html
• https://medium.com/@mashoud1122/cors-misconfiguration-account-takeover-out-of-scope-to-grab-items-in-scope-66d9d18c7a46
• https://github.com/mscoutermarsh/cors-test
• https://w3c.github.io/webappsec-cors-for-developers

Cross-Origin-Opener-Policy (COOP)

• COOP and COEP explained
• https://blog.daviddworken.com/posts/stopping-xs-leaks-at-scale + https://github.com/mjz3/LeakuidatorPlus + https://twitter.com/ndevtk/status/1549894289865560065
• Cross-origin isolation (COOP and COEP) through a service worker for situations in which you can't control the headers (e.g. GH pages)

Same Origin Policy (SOP)

• https://parsiya.net/blog/2020-11-01-the-same-origin-policy-gone-wild
• https://github.com/rafaybaloch/SOP-Bypass-Mini-Test-Suite

Search Engine Optimization (SEO)

• https://www.smashingmagazine.com/smashing-guide-search-engine-optimization
• https://developers.google.com/search/docs/guides/intro-structured-data
• Find broken links, missing images, etc within your HTML.
• Scurry around your site and find all those broken links
• https://vasco3.gitbooks.io/hacks-n-notes/content/internet_marketing/seo.html
• https://github.com/darekkay/best-practices#seo
• Curs Super SEO pentru eCommerce
• https://www.linkedin.com/pulse/200-unsolicited-seo-tips-mark-williams-cook
• The Open Source A/B Testing Platform
• https://ahrefs.com/blog/seo-glossary
• SEO | knowthen
• Today I set up SEO for rubyandrails.info
• https://github.com/sw-yx/company-youtubes#business-oriented
• High signal information security sources Goggle
• https://github.com/marcobiedermann/search-engine-optimization
• https://github.com/thospfuller/awesome-search-engine-optimization

Server-sent events (SSE)

• https://m.youtube.com/playlist?list=PLw5h0DiJ-9PAQ1pKeDanXUjGbjPAluT7S

Web Audio API

• https://github.com/idevelop/google-cloud-speech-webaudio
• iOS Safari is like IE6 when it comes to WebAudio
• Detecting pitch with the Web Audio API and autocorrelation

Web Real-Time Communication (WebRTC)

• https://github.com/adalkiran/webrtc-nuts-and-bolts
• https://github.com/webrtc-for-the-curious/webrtc-for-the-curious
• https://m.youtube.com/playlist?list=PLWIcRrPLCdUeu5vBImsX2mMBacbomDrig
• WebRTC Boston
• Anyone do much with WebRTC?
• Turns a Web Browser into a Web Server with WebRTC
• https://github.com/whatismyinternalip/whatismyinternalip.github.io
• The various ways your RTC may be crushed; a presentation on RTC DoS attacks - Enable Security
• https://twitter.com/iggredible/status/1300240215789821954
• browser-based internal network scanner that detects victim's LAN IP (loops back via WebRTC) + https://twitter.com/samykamkar/status/1329124348779667456
• A self contained OBS -> FTL -> WebRTC live streaming server.
• Share a terminal session over WebRTC
• https://github.com/webrtc-for-the-curious/webrtc-for-the-curious
• https://github.com/delapuente/presentations#webrtc--web-components
• https://github.com/kgryte/awesome-peer-to-peer#resources
• https://github.com/EnableSecurity/awesome-rtc-hacking
• Easy P2P file transfer powered by WebRTC - inspired by Apple AirDrop
• https://github.com/muaz-khan/WebRTC-Experiment
• https://github.com/adamavenir/talkto
• https://github.com/diafygi/webrtc-ips
• A tool to test and exploit STUN, TURN and TURN over TCP servers + https://firefart.at/post/multiple_vulnerabilities_cisco_expressway + https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty
• https://piranna.github.io/2021/04/23/How-to-build-WebRTC-for-Android-in-Ubuntu-21.04
• https://piranna.github.io/2020/12/30/Types-of-WebRTC-networks
• Blender session in the browser over WebRTC
• Karl Stolley, author of Programming WebRTC
• Polyfill for WebRTC in Workers

Canvas

• https://pqina.nl/blog/cropping-images-to-an-aspect-ratio-with-javascript
• A simple Christmas tree.
• Screenshots with JavaScript
• https://github.com/raphamorim/awesome-canvas
• https://github.com/Rich-Harris/yootils/blob/master/src/canvas/sprite.ts
• HTML5 Canvas implementation for NodeJS backed by Puppeteer.
• https://github.com/tsayen/dom-to-image
• The better way to render text on HTML5 Canvas
• https://github.com/sunify/canvas-playground
• https://github.com/desandro/practical-ui-physics
• Canvas + JSX + Hooks
• Visual Web Development (2021) | Radu Mariescu-Istodor
• A library for capturing web page self screenshots
• https://bkardell.com/blog/OffscreenCanvas.html
• https://github.com/mattdesl/workshop-generative-art
• An Underrated Way To Learn Programming: Generative Art
• https://github.com/psenough/teach_yourself_demoscene_in_14_days
• procedurally generated fish drawings
• https://github.com/bubkoo/html-to-image
• https://developer.mozilla.org/en-US/blog/javascript-shape-drawing-function

File System API

• https://developer.chrome.com/articles/origin-private-file-system

Web Authentication API

• https://goteleport.com/blog/how-passwordless-works
• https://betterappsec.com/a-medium-dive-into-web-application-authentication-342d1d002a61
• https://denhoff.ca/posts/webauthn-by-id-android
• https://duo.com/blog/webauthn-passwordless-fido2-explained-componens-passwordless-architecture
• https://fidoalliance.org/fido2-2/fido2-web-authentication-webauthn
• https://secfense.com/blog/fido2-authentication-explained
• https://www.youtube.com/watch?v=SWocv4BhCNg + https://fidoalliance.org/passkeys
• https://nelsonslog.wordpress.com/2024/03/22/passkeys-still-awkward-in-mar-2024-android-chrome-windows-1password + https://nelsonslog.wordpress.com/2024/03/23/passkeys-try-two

WebGL

• https://github.com/davidwparker/programmingtil-webgl + https://m.youtube.com/playlist?list=PLPqKsyEGhUnaOdIFLKvdkXAQWD4DoXnFl
• https://tchayen.com/brief-explanation-of-webgl
• https://www.pheelicks.com/speaking
• https://github.com/luruke/awesome-casestudy
• https://github.blog/2020-12-21-how-we-built-the-github-globe
• https://formidable.com/blog/2021/future-ui
• https://techblog.geekyants.com/recreating-real-world-terrain-with-react-threejs-and-webgl-shaders-1
• https://webglfundamentals.org + https://twitter.com/redblobgames/status/1369123816719360000
• https://alain.xyz/blog/raw-webgl
• Minimal WebGL Library
• https://github.com/brunoimbrizi/interactive-particles
• https://github.com/lesnitsky/webgl-month
• https://github.com/rezaali/webgl-tutorial
• https://github.com/rezaali/webgl-sketches
• https://github.com/stackgl/webgl-workshop
• Javascript and the next decade of data programming + https://github.com/rofrol/awesome-wgpu + https://github.com/danbev/learning-gpgpu
• https://www.amazon.com/Learning-Three-js-JavaScript-Library-Second/dp/1784392219
• https://www.davrous.com/2020/03/22/understanding-shaders-the-secret-sauce-of-3d-engines
• an experiment to make something like "vvvv" in javascript, html and webgl.
• https://xem.github.io/articles/webgl-guide.html + https://twitter.com/MaximeEuziere/status/1261643172582653954
• https://github.com/spite/virtual-webcam
• https://github.com/caged/regl-learn
• https://github.com/erich666/RealTimeRendering
• https://github.com/jsulpis/realtime-planet-shader

WebGPU

• https://hackaday.com/2022/03/09/webgpu-better-than-webgl
• How Does a GPU Shader Core Work? | Aras Pranckevičius
• https://cohost.org/mcc/post/1406157-i-want-to-talk-about
• https://github.com/gfxfundamentals/webgpufundamentals

Human Interface Device (WebHID)

• https://github.com/robatwilliams/awesome-webhid

Web MIDI

• https://github.com/obensource/web-midi-api-docs
• https://obensource.com/blogs/high-fidelity-event-sampling-and-playback-with-vanilla-javascript

WebUSB

• https://github.com/webusb/awesome
• https://charliegerard.dev/blog/aircraft-radar-system-rtl-sdr-web-usb

Headless

• Node library to automate Chromium, Firefox and WebKit browsers + opinion + https://medium.com/@woff/arbitrary-file-read-tricks-with-headless-browsers-eeebc2d9e5c8
• Comparing Cypress and Puppeteer
• Capture screenshots in multiple browsers!
• Puppeteer example scripts for running Headless Chrome from Node.
• https://blog.checklyhq.com/cypress-vs-selenium-vs-playwright-vs-puppeteer-speed-comparison
• A Headless Chrome rendering solution
• https://github.com/humanwhocodes/puppeteer-data-extractor
• http://blog.ezyang.com/2021/11/interactive-scraping-with-jupyter-and-puppeteer

Performance

• https://github.com/leandrotk/web-performance-studies
• interactive flamegraph visualizer
• https://www.speedcurve.com/blog/element-timing-one-true-metric
• https://www.webpagetest.org/learn/lightning-fast-web-performance/#toc
• https://www.davrous.com/2020/03/20/frame-variable-refresh-rates-or-why-tesla-is-responsible-for-the-60-fps-war
• https://ethanmarcotte.com/wrote/au-revoir-mon-ampmour
• A Node.js command line tool that crawls a domain and gathers lighthouse performance data for every page.
• The Almost-Complete Guide to Cumulative Layout Shift
• https://webvitals.dev/cls
• Web Performance Recipes With Puppeteer
• https://calibreapp.com/tools/core-web-vitals-checker
• A curated list of Web Performance Optimization
• https://3perf.com/talks/web-perf-101
• https://blog.webpagetest.org/posts/test-your-spa
• https://www.stefanjudis.com/blog/how-to-find-all-render-blocking-resources-with-javascript
• SingleFile was really slow on pages with large stylesheets, especially in Firefox
• effective ways to improve Core Web Vitals performance in 2023
• Cumulative Layout Shift Differences
• https://dev.to/noamr/when-a-millisecond-is-not-a-millisecond-3h6
• https://web.dev/shopping-for-speed-on-ebay
• https://www.jovidecroock.com/blog/browser-timings
• Interaction to Next Paint (INP)
  • https://www.speedcurve.com/blog/INP-user-experience-correlation

• First Input Delay (FID)

Miscellaneous

• Web Browser Engineering + https://courses.cs.washington.edu/courses/cse490x/22sp/lecture +
• https://wiki.systemcrafters.net/guix/browsers
• https://github.com/vasanthk/how-web-works
• The End of Indie Web Browsers: You Can (Not) Compete.
• Shareable bookmarks.
• https://textslashplain.com/2020/02/09/demystifying-browsers + https://textslashplain.com/2020/09/29/debugging-browsers-tools-and-techniques
• https://github.com/trimstray/the-book-of-secret-knowledge#black_small_square-browsers-1
• https://alan.norbauer.com/articles/browser-debugging-tricks
• https://textslashplain.com/2020/09/25/web-debugging-watching-element-changes
• https://github.com/styfle/breaking-changes-web
• QR codes art
• https://github.com/dongri/emv-qrcode-doc
• https://github.com/azu/browser-resources

Tool

• rrweb is an open source web session replay library, which provides easy-to-use APIs to record user's interactions and replay it remotely.
• https://github.com/captainbrosset/devtools-tips
• estimating the % of web users that have certain web features natively supported
• From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers
• https://github.com/iipc/awesome-web-archiving
• using ForensiX to extract information about a Chrome dump

WebCryptoAPI

• https://docs.google.com/presentation/d/1LbJcPulQ_a4utqNCUoGCk8GTQbchN2BL_kAF3DNJQbo
• https://blog.intothesymmetry.com/2020/01/the-curious-case-of-webcrypto-diffie.html
• https://github.com/diafygi/webcrypto-examples
• Bring your own filesystem, a javascript library that allows users to connect their own data storage backend to your webapp
• Embed any file into an encrypted, self-decrypting HTML file
• https://github.com/mprimi/portable-secret
• https://github.com/Metalnem/javascript-crypto
• https://github.com/robinmoisson/staticrypt/pull/111/files