Zepra Browser — Strict Mode Security Policy

Zepra operates in Strict Mode by default, prioritizing:

• User privacy
• Predictable behavior
• Performance stability
• Reduced attack surface

Strict Mode is designed to prevent abuse while preserving core web functionality.

🛡️ Strict Web Rules

Strict Mode protects users from:

• Cross-site tracking
• Cookie theft
• Malicious redirects
• Spam prompts and overlays
• UX manipulation

🚫 Content Policy

Blocked or Restricted Content

📢 Ad Behavior Policy

Zepra enforces behavior-based ad rules at the engine level, not ad blocking via lists.

🔒 Cookie Policy

• Default: First-party only
• Third-party: BLOCKED
• SameSite: Strict (default)
• HttpOnly: Enforced for sensitive cookies
• Partitioning: Per top-level origin

Cookie Theft Prevention

• No document.cookie access in cross-origin contexts
• Cookie access restricted to same-site frames
• Automatic expiry heuristics for tracking behavior

📜 ZepraScript Restrictions

Blocked or Restricted APIs (Strict Mode)

document.cookie;                 // Blocked in cross-origin
window.open();                   // Requires user gesture
Notification.requestPermission();// Limited calls
navigator.geolocation;           // Coarse accuracy only

Rate-Limited APIs

• alert(): 3 per page
• confirm(): 3 per page
• prompt(): 1 per page
• window.open(): 1 per gesture

⚙️ Implementation Model

ContentPolicy Interface

class ContentPolicy {
public:
    enum class Mode { Strict, Compatible };

    bool allowThirdPartyCookies() const;
    bool allowPopups() const;
    bool allowAutoplayMuted() const;
    bool allowAudioPlayback() const;
    int maxRedirects() const;
};