{"id":16062557,"url":"https://github.com/w4/kpjs","last_synced_at":"2026-02-22T23:09:45.369Z","repository":{"id":8405546,"uuid":"58276086","full_name":"w4/kpjs","owner":"w4","description":":lock: Firefox addon POC for GPG signed JavaScript using Keybase","archived":false,"fork":false,"pushed_at":"2023-01-04T13:22:25.000Z","size":7107,"stargazers_count":4,"open_issues_count":22,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-04-15T00:19:47.121Z","etag":null,"topics":["firefox","gpg","hpkp","javascript","keybase","pgp","poc","signed","trust"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/w4.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-05-07T17:09:51.000Z","updated_at":"2023-07-25T14:01:42.000Z","dependencies_parsed_at":"2023-01-11T17:23:12.073Z","dependency_job_id":null,"html_url":"https://github.com/w4/kpjs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/w4/kpjs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w4%2Fkpjs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w4%2Fkpjs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w4%2Fkpjs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w4%2Fkpjs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/w4","download_url":"https://codeload.github.com/w4/kpjs/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/w4%2Fkpjs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29730339,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-22T20:09:16.275Z","status":"ssl_error","status_checked_at":"2026-02-22T20:09:13.750Z","response_time":110,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firefox","gpg","hpkp","javascript","keybase","pgp","poc","signed","trust"],"created_at":"2024-10-09T04:41:05.777Z","updated_at":"2026-02-22T23:09:45.326Z","avatar_url":"https://github.com/w4.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# KPJS\n\nWhen executing Javascript, KPJS will check if a [Keybase](https://keybase.io/) user has the domain\nregistered, if they do then all scripts loaded from that domain must be signed by\nthe user using a `data-signature` attribute containing a link to the detached\nsignature of the script.\n\nOnce you allow (or deny) a Keybase user to execute Javascript from a given domain\nthe user is then \"pinned\" and all JavaScript from then on out must be signed by that\nKeybase user. Any subsequent changes to domain ownership on Keybase must be validated\nby the user.\n\n### Why?\n\nCompromised web servers run rampant in the wild. We visit all sorts of websites and run arbitrary\ncode from hundreds of different domains daily. The boys in tinfoil hats run [NoScript](https://noscript.net/)\nto either block all JavaScript from running or just allow JavaScript from the domain that they're on. Both of these\n\"solutions\" are flawed, disabling JavaScript hardly gives you a 21st century experience on the web\nand if the website you're browsing is compromised then the attacker can return whatever JavaScript they like.\n\nThat's where KPJS comes in, instead of trusting a server in some data centre somewhere to give us \"safe\" scripts,\nwe trust people instead. Using GPG and Keybase we can have publicly verifiable proof that a script was signed by a person\nthat we trust rather than a malicious third party (unless our trusted party's GPG key is compromised - but that's a\nlittle bit harder than compromising a server and usually involves leaving the house).\n\n## Things to note\n\n- this hasn't been audited and shouldn't be used as front-line defence for your questionable internet activities\n- all unsigned javascript is blocked from being ran\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fw4%2Fkpjs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fw4%2Fkpjs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fw4%2Fkpjs/lists"}