Skip to content
SVEN
Back to portfolio
Xenolith AB (research project)

WebSec Assistant — Security-awareness browser extension

Firefox extension that protects users from phishing, weak passwords, and scams — and teaches them why, with interactive topic guides and quizzes.

cybersecurityvuegamification2019-06-01
WebSec Assistant — Security-awareness browser extension

Overview

WebSec Assistant is a Firefox extension built to raise everyday security awareness inside an organisation. Rather than training users once a year and hoping it sticks, the extension rides along with their browsing and does two things at once: it protects them in the moment — blocking known-bad domains, flagging weak passwords, warning on phishing-prone sites — and teaches them in small, context-aware doses, opening topic-specific guides with quizzes and optional audio narration exactly when a risky situation comes up, so the explanation lands while the context is still fresh.

Each organisation gets its own allow/deny rules against a company-scoped backend, so the same extension can be rolled out across different tenants without rebuilding anything.

The project was featured by IVA (Kungl. Ingenjörsvetenskapsakademien) as a research initiative with commercial and societal potential.

What the system does

  • Domain blocking — Known-bad URLs are intercepted via the WebExtension webRequest API and redirected to a categorised warning page (malware, phishing, spam, or fake news). Dangerous categories require an explicit action to continue
  • Per-session bypass — Users can whitelist a domain for the current tab only, or permanently, straight from the warning page — or jump directly into the matching learning guide
  • Password strength tooltip — When a password field gets focus, an in-page tooltip powered by zxcvbn rates the password on a five-level scale with a colour-coded bar, and can inject the tested value back into the form
  • Phishing popup on webmail — On common webmail domains, a reminder of phishing red flags appears when users are most likely to need it
  • External-link warning — New-tab navigations to external destinations can be flagged so users aren't silently redirected somewhere unexpected
  • Interactive topic guides — Password, phishing, scamming and fake-news guides are delivered as short slide decks with multi-choice quizzes, live visual feedback, Howler-based audio narration and a completion screen
  • Manual blocklist refresh — One-click sync with the organisation's backend, plus a visible timestamp of the last successful update
  • Bilingual UI — Full English and Swedish translations, including extension-store metadata
  • Configurable — Each protection feature (password tooltip, domain blocking, external-link warning, phishing popup) toggles independently

Tech stack

  • Extension: Vue, WebExtension APIs (webRequest, storage, tabs), Shadow DOM styling (host-page CSS can't leak in), zxcvbn (password scoring), Howler (per-slide audio)
  • Architecture: Long-running background script owns blocklist + whitelist state and talks to the backend; content script renders UI inside Shadow DOM; popup, guide and warning are three separate Vue entry points
  • Backend: Company-scoped REST API at ubarso.xenolith.se for per-tenant blocklist configuration
  • Manifest V2, Firefox-first (Gecko add-on id websecassistant@xenolith.se)

From idea to reality.

XENOLITH AB

Org. no: 559149-9081Prinsgatan 1, SkövdeVästra Götaland, Sweden

© 2026 XENOLITH AB. All rights reserved.