Shielded Site Project

25 Mar 2021 - karit

The Shielded Site Project is a project by the Women’s Refugee in Aotearoa to provide help/support/information to people who are experiencing domestic violence. What is interesting with this project is that it provides a way to access this information without any trace being left in a web browser’s history.

I have in recent days added it to most of my sites and in doing so have put together a base Content Security Policy (CSP); which is shared later in this blog post.

You may have visited sites embedding the The Shielded Site Project without knowing it. You may have seen the logo below on site you have visited and not known what it is. This logo, if clicked on, will show the Shielded Site Project application (well the logo at the very bottom of this page will, the logo directly below is just the logo).

You can see this working by scrolling to the very bottom of this page and clicking the image. It will pop a little overlay thing with all the information in it.

No browser history, why is this important?

This is designed in such a way it does not leave any trace in the browser be that in the history, cookies, local storage, etc, so if the abusive partner is monitoring a person’s internet activity, there will be no trace that they are accessing this information.

A lot of the sites which have it installed are large high traffic sites like:

• Supermarkets and other retail
• Banks and financial information
• Education
• Government sites
• News sites
• Telcos and ISPs
• Medical Providers
• etc

So there is plausible reasons for them visiting these sites, which can be easily explained as a normal day to day activity, not that they are seeking this information.

Why have I included it on my sites?

My sites will likely not have a plausible reason for visiting, but I hope it help raises awareness and encourages more sites to include the project on their own sites.

What you can do?

• If you run a site or have the ear of someone who runs a site, see about adding The Shielded Site Project to the site.
• If you are a parent encourage you children’s school to add it to the school’s sites.
• The options are endless really, the more places which have it the better and also the more people who know what the logo at the bottom of a bunch sites is for the better.

The CSP

A Content Security Policy (CSP) is for the webmasters to instruct the browsers where they can include scripts, images, etc from. I have put the following CSP together which is what you need to add to the site’s current CSP to allow The Shielded Site Project to work. The CSP is as follows:

Content-Security-Policy: script-src ‘self’ ‘unsafe-inline’ https://staticcdn.co.nz/ https://helpline.homecaremedical.co.nz/; img-src https://shielded.co.nz/ https://staticcdn.co.nz/; font-src https://staticcdn.co.nz/; upgrade-insecure-requests

Explanation of the CSP

The CSP breaks down as follows:

• script-src - This instructs where the browser can run JavaScript from.
  • ‘self’ - There is JavaScript running on the domain which is serving the site. There is some JavaScript needed to be embedded on every page.
  • ‘unsafe-inline’ - The way the JavaScript is included on the page requires the use unsafe-inline.
  • https://staticcdn.co.nz/ - Staticcdn holds most the JavaScript code for the application.
  • https://helpline.homecaremedical.co.nz/ - This is the JavaScript to required to run the live chat functionality.
• img-src - This instructs where the browser can load images from.
  • https://shielded.co.nz/ - There are images to include from https://shielded.co.nz/.
  • https://staticcdn.co.nz/ - There are images to include from https://staticcdn.co.nz/.
• font-src - This instructs where the browser can load fonts from.
  • https://staticcdn.co.nz/ - There is a font included from https://staticcdn.co.nz/.
• upgrade-insecure-requests - This instructs the browser to upgrade all request for all included files to be requested over HTTPS and not HTTP. Technically this isn’t required for the inclusion of The Shielded Site Project on a site, but it is 2021 and there is no reason that content should be delivered over HTTP anymore.

Conclusion

The Shielded Site Project is a great project doing great work. I would like to see it on more sites and more people to know it exists. Every person it can help is a good thing, you never know who this may help.