An open-source MobileSafari-like web browser for iOS (wrapping around UIWebView) with a design goal of increased security and privacy.
While this software is open source and you are free to modify it and use it on your own devices, redistribution of this software in binary form, with or without modification, is not permitted. Please see the LICENSE for redistribution terms. Commercial redistribution license exclusions are available; please contact me for more information.
Basics of entering URLs, following redirections, back, forward, cookie storage, HTTP basic authentication
Multiple tabs with support for
automatically opening new tab windows, but blocks calls not made via user
interaction events (similar to most desktop browser popup blockers)
Bookmark list with management, re-ordering, and editing
Custom long-press menu for links to open in a new tab, and to save images to the device; shows image or link alt text (useful for sites like xkcd)
Swipe left and right to go back and forward
Long-press on back button to show history and quickly go back more than one page
Search from URL bar with DDG, Google, or Startpage, including optional auto-complete of search queries
Optional dark/night-time interface
Full hardware keyboard support for websites that support keyboard shortcuts, as well as global shortcuts for common functions like Command+T for new tab, Command+W to close, Command+L to focus URL field, etc.
Per-host/domain security and privacy settings:
Disables SSL 2 and SSL 3 by default with a configurable minimum TLS version to require from the host, such as TLS 1.2-only. Also disables weak TLS ciphers.
Configurable security policy:
Open (default, normal browsing mode)
No after-load connections (blocks XMLHTTPRequest/AJAX requests, WebSockets, and <video> and <audio> elements)
Blocks mixed-content requests (http elements on an https page) unless disabled (useful for RSS readers), shows broken padlock
Blocks pages loaded from non-local networks (i.e., the internet) from trying to load sub-requests (e.g., images, iframes, ajax) from hosts that are on local IPv4 and IPv6 networks such as routers and other insecure devices
Defaults to only accepting cookies and local storage for the duration of the session (until the last tab accessing that data closes) but allows persistent storage from configured hosts
Blocks WebRTC by default
Auto-destroys non-whitelisted cookies and local storage (even within the same tab) that has not been accessed by any other tab within a configurable amount of time (defaults to 30 minutes) to improve privacy while browsing within a long-running tab
Cookie and localStorage database listing and deletion per-host
Integrated full HTTPS Everywhere ruleset to do on-the-fly URL rewriting to force requests over SSL where supported, including setting the secure bit on received cookies and auto-detection of redirection loops
HTTP Strict Transport Security (RFC6797) implementation (in addition to WebKit's mystery built-in one) with Chromium's large preload list
Integrated URL blocker with a small included ruleset of behavior-tracking advertising, analytics, and social networking widgets (this list is intended for enhancing privacy and not to be an AdBlock-style comprehensive ad-blocking list)
Shows locked padlock for fully SSL-encrypted URLs, and a green padlock for sites with EV SSL certs
Integrated SSL certificate viewer by tapping on padlock icon, highlighting weak SSL certificate signature algorithms and showing per-connection negotiated TLS/SSL protocol version and cipher information
Optional sending of Do-Not-Track header on all requests
Disables 3rd party keyboards by default with option to enable
Integrated password manager button to autofill website logins, passwords, credit card numbers, etc.; requires the 1Password or Bitwarden iOS app to be installed (and is not enabled if not installed)
This is a critical component to Endless and is how it does things like change TLS ciphers, block tracking scripts, and do restrictive CSP header manipulation.