TabGuardian Demo

What is TabGuardian?

Every player in the testing industry faces a common challenge: guaranteeing a secure environment now requires some kind of dedicated extension, secure browser, or kiosk application. This approach creates problems for developers who have to maintain several platforms, makes deployments painful for K-12 system administrators, and angers students. Now, there's something that can help. After a simple one-time configuration, TabGuardian provides a easy, powerful solution that prevents students from accessing third-party links, navigating away from the exam, or viewing outside content—all from within a standard web browser, with no external tools or software required.

This page allows developers, administrators, and end users to view a demo implementation of TabGuardian. We hope you consider integrating us into your test environment! You can view information on how to integrate TabGuardian in the README.

Status Indicator

The status indicator provides an immediate visual confirmation when any linked security rule is violated. After you click on a demo, the focus status will change.

Status: Focused

Environment Detection

TabGuardian checks the browser environment to detect automation frameworks. It looks for properties like navigator.webdriver and artifacts left behind by tools like as Selenium or Puppeteer. It can also scan for headless browsers and other illegitimate environments used to automate the exam.

  • navigator.webdriver is false
  • No signs of a headless browser detected
  • No common automation artifacts found
  • Canvas rendering appears normal

Mouse Movement Analysis

TabGuardian analyzes mouse events in real time for non-human patterns. It detects automated behavior by identifying mathematically perfect cursor paths (collinear coordinates) and event timings, such as mousedown and click events firing with inhuman speeds. 

Click the button to test...
Click the button to test...

Interaction Monitoring

TabGuardian can measure the time between sequential events like focus, input, and blur. A time difference near zero is a potential indicator of automated interaction. 

Click the button to test...

Cadence Analysis

TabGuardian can analyze the user's unique typing rhythm. The system measures both dwell time (key press duration) and flight time (interval between key presses). Automated scripts usually have an unnaturally uniform typing cadence with no variation. 

Click the button to test...

Scrollbar Checking

TabGuardian analyzes wheel event data to distinguish human scrolling from a scripted action. It looks at the variance in scroll speeds ( deltaY) and the time between scroll events. Automated scrolling normally produces perfectly uniform scroll speeds and intervals.

This is a scrollable area. Scroll up and down here with your mouse wheel to see how your natural scrolling compares to a bot's. The analysis is triggered after a burst of scrolling stops. Keep scrolling for a bit to generate enough data for the check. This box contains enough content to ensure that you have something to scroll through. More text is added here just to make sure the scrollbar is active and usable for this demonstration. 
Click the button to test...

Managing Browsing Tools

To maintain a controlled environment, event listeners are used to intercept common browser functions. By calling preventDefault() on contextmenu, selectstart, and specific keydown events (e.g., F5, Ctrl+R), TabGuardian prevents actions that could be used to bypass security or bypass test monitoring.

  • Text Selection: Try to select or drag the text in this sentence.
  • Context Menu: Right-click anywhere on this page.
  • Keyboard Shortcuts: Try to use shortcuts such as Ctrl+T, Ctrl+R, or F5.

Input Rate Detection

TabGuardian uses a rate-limiting heuristic to detect certain automation utilities, such as auto-clickers. It maintains a rolling time window and logs timestamps for each input event. If the click frequency surpasses a threshold that is physically impossible for a human, a violation is triggered.

Focus Checking

To prevent access to external tools, this TabGuardian uses the Page Visibility API and listens for blur, fullscreenchange, and pointerlockchange events. Any event that indicates a loss of focus from the page triggers a security violation.

Anti-Debugging

TabGuardian uses multiple techniques to detect the presence of developer tools. It looks for environmental changes that would indicate an open console, and sudden changes in window resolution. The focus status will automatically change if TabGuardian detects the console being opened.

Integrity Lock

To prevent runtime tampering, TabGuardians core configuration object is frozen using Object.freeze(). This makes the security rules unchangeable, ensuring that a user script cannot change TabGuardians protection policies after the page has been loaded. 

Click the button to see how TabGuardian responds...

Managing WebSockets & WebRTC

TabGuardian can harden browser APIs to prevent unauthorized communication during the exam. It achieves this by 'monkey-patching' native constructors like WebSocket and RTCPeerConnection so attempts to create a WebSocket to a non-whitelisted URL are blocked, and the WebRTC API is disabled.

WebSocket Test

Click the button to test...

WebRTC Test

Click the button to test...

Controlling Network Requests

To prevent unauthorized communications, TabGuardian monkey-patches the global Fetch API and the XMLHttpRequest object so all outgoing requests are inspected, attempts to contact a non-whitelisted domain are blocked.

Fetch API Test

Click the button to test...

XMLHttpRequest Test

Click the button to test...

Console Monitoring

To prevent unauthorized navigation or popups, TabGuardian overwrites disruptive global functions like window.open so it can intercept and block all calls made from the developer console.

Embed Removal

To prevent access to unauthorized content, the DOM is sanitized on load. TabGuardian queries for all <iframe>, <embed>, <object>, and media tags, validating their src paths against the whitelist. Unauthorized elements are removed from the DOM, and whitelisted iframes are forced to use sandbox.

An <iframe> from YouTube and an <audio> tag were automatically removed by TabGuardian.

This iframe is allowed because info.cern.ch is on the whitelist.

Blocking Attribute Tampering

To prevent post-load DOM manipulation, a MutationObserver is attached to the page. It monitors for changes to critical attributes like href and src. If a script attempts to modify a link or embed to point to a non-whitelisted domain, the change is detected and the element is immediately removed by TabGuardian. 

Click the button to test...

Preventing Sandbox Escape

TabGuardian can protect against sandbox escapes by blocking core DOM manipulation methods. By wrapping functions like document.createElement and Node.prototype.appendChild, TabGuardian can inspect newly created elements. For sensitive tags like <iframe>, it can prevent access to its contentWindow, blocking users attempts to interact with un-sanitized content. 

Click the button to see how TabGuardian responds...

Shadow DOM Monitoring

Security policies are applied to both the light and Shadow DOMs. TabGuardian identifies Web Components and traverses their shadowRoot to find and validate nested links, forms, and embeds. This ensures that encapsulated elements cannot be used to bypass the whitelist restrictions.

CSP Injection

TabGuardian dynamically generates a strict Content Security Policy (CSP) based on the domain whitelist. This policy is then injected into the document's <head> as a <meta> tag, instructing the browser to block any requests (scripts, images, frames) to non-whitelisted origins.