dataskydd.net
/
webbkoll
3
8
Fork 1
Code Issues 11 Pull Requests Packages Projects Releases Wiki Activity
An online tool that checks how a website is doing with regards to privacy. https://webbkoll.dataskydd.net
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
497 Commits
2 Branches
0 Tags
11 MiB
Elixir 44.3%
HTML 35.5%
SCSS 19.6%
Jinja 0.4%
JavaScript 0.2%
 
 
 
 
 
main
feature/experimental-api
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
Go to file
Petter Reinholdtsen c514ae913d
Translated using Weblate (Norwegian Bokmål) 
Currently translated at 100.0% (372 of 372 strings)

Translation: Webbkoll/main
Translate-URL: https://hosted.weblate.org/projects/webbkoll/main/nb_NO/
 		3 months ago
ansible ansible: use webbkoll-backend release; get rid of npm 6 months ago
assets Fix a couple of colors 5 months ago
config Clean up config a bit 9 months ago
lib Mention Unicode emojis on news page 5 months ago
priv Translated using Weblate (Norwegian Bokmål) 3 months ago
test Remove Expect-CT stuff (fixes #48) 5 months ago
.formatter.exs Upgrade to Phoenix 1.4 5 years ago
.gitignore Update tracker list 3 years ago
LICENSE Initial commit 7 years ago
README.md Remove some out of date stuff from README 6 months ago
TRANSLATIONS.md Add Italian as an option 9 months ago
mix.exs More mix release stuff; with ansible, use release instead of compiling from source 6 months ago
mix.lock Update deps, begin mix release stuff 6 months ago

README.md
Unescape Escape

Webbkoll

This is the code that powers https://webbkoll.dataskydd.net an online tool that checks how a webpage is doing with regards to privacy.

It attempts to simulate what happens when a user visits a specified page with a typical browser without clicking on anything, with the browser having no particular extensions installed, and with Do Not Track (DNT) disabled (as this is the default setting in most browsers).

In short: this tool, which runs the user-facing web service (built with Elixir and Phoenix), asks a simple Node.js backend to visit a page with Chromium. The backend uses Puppeteer to control Chromium; it visits and renders the page, collects various data (requests made, cookies, response headers, etc.), and sends it back as JSON to this tool which then analyzes the data and presents the results on a webpage along with explanations and advice.

Webbkoll is multilingual and currently supports English, Swedish, German and Norwegian. We use Weblate for translations; if you want to help us translate Webbkoll into more languages, see TRANSLATIONS.md.

Honeydew is used for job processing, and some basic rate limiting is done with ex_rated. Multiple backends can be configured. ConCache is used to store results in an in-memory ETS table for a limited time. Other than the Node.js backend, there are no external dependencies, and nothing is saved to disk.

Please note that this is still a work in progress. Expect bugs and messy code in places. Only a few basic tests are in place.

Also note that this tool is mainly meant to be used as a starting point for web developers. For more rigorous and systematic testing we recommend that you check out OpenWPM, which we used to analyze the websites of Sweden's municipalities (site, code). You might also want to have a look at PrivacyScore, which is a bit more comprehensive than Webbkoll (additionally checks e.g. email and TLS/SSL configuration) and also lets you compare/rank lists of sites.

This is a project by Dataskydd.net. See Webbkoll's About page for more information.

Browser backend

The browser backend is a tiny script that uses Puppeteer to control instances of Chromium. You'll find it in this repo.

Frontend/"regular backend" (this app!)

Install Erlang (>= 24) and Elixir (>= 1.12) -- see http://elixir-lang.org/install.html.

Clone this repository, cd into it.

Install dependencies:

mix deps.get

Make sure the backend is running on the host/port specified in config/dev.exs

Compile CSS with sassc, copy static assets (this replaces brunch and 340 node dependencies):

mkdir -p priv/static/css priv/static/fonts priv/static/images priv/static/js
sassc --style compressed assets/scss/style.scss priv/static/css/app.css
cat assets/static/js/webbkoll-*.js > priv/static/js/webbkoll.js
rsync -av assets/static/* priv/static

Start the Phoenix endpoint with mix phx.server (or to get an interactive shell: iex -S mix phx.server)

Now you can visit localhost:4000 in your browser.

Production

To run in production, first get and compile dependencies:

mix deps.get --only prod
MIX_ENV=prod
mix compile

Next, do the compile CSS/rsync files step from above. Then digest and compress static files:

MIX_ENV=prod
mix phx.digest

Start the server in the foreground (port must be specified; for SECRET_KEY_BASE, run mix phx.gen.secret to get a suitable value):

MIX_ENV=prod
PORT=4000
SECRET_KEY_BASE=something_random_at_least_64_bytes_sdjkljsdklfjsklfsfjsldfjksld
mix phx.server

Or in an interactive shell:

MIX_ENV=prod
PORT=4000
SECRET_KEY_BASE=something_random_at_least_64_bytes_sdjkljsdklfjsklfsfjsldfjksld
iex -S mix phx.server

See also the official Phoenix deployment guides.

TODO/ideas

  • Optionally visit a number of randomly selected internal pages and let the results be based on the collective data from all the pages
  • Availability over Tor (e.g. does the visitor have to solve a Cloudflare captcha?)
  • HTTPS Everywhere: check for requests that could have been secure
  • SSL Labs integration (or testssl.sh?)
  • DNSSEC?
  • Check whether site is in HSTS preload list?
  • More translations
  • More? Let me know!

Credits & licenses

Translations

Software

  • Phoenix Framework (MIT license) by Chris McCord
  • Header/content analysis code in lib/webbkoll/header_analysis.ex, lib/webbkoll/content_analysis.ex, test/webkoll/csp_test.exs, test/webkoll/sri_test.exs is based on work by April King for Mozilla HTTP Observatory, Mozilla Public License Version 2.0
  • Bourbon, Neat, Bitters, Refills (assets/scss/{base,bourbon,neat}) (MIT license) by thoughtbot
  • tablesort (assets/static/js/tablesort.min.js and assets/scss/tablesort.css) (MIT license) by Tristen Brown
  • A11y Toggle (assets/static/js/a11y-toggle.min.js) (MIT license) by Edenspiekermann
  • Mozilla's version of Disconnect's open source list of trackers (priv/services.json) (GPLv3) by Disconnect, Inc.
  • HTML5 Shiv (assets/static/js/html5shiv.min.js) (MIT license) by Alexander Farkas

For the project code in general (things not noted above):

The MIT License (MIT)

Copyright (c) 2016-2022 Anders Jensen-Urstad

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.