HELMET WEB BROWSER FIREWALL
A privacy- and security-hardened Chromium fork for macOS, distributed exclusively through the Mac App Store under full App Sandbox. URL threat-defense is routed through a proprietary Helmet gateway; the build ships with a jitless V8, the DrumBrake WebAssembly interpreter, Google-side telemetry removed, and GAIA password hash monitoring is disabled (removed from the source code).
Overview β What Helmet is
The Helmet Web Browser Firewall is the browser's built-in URL and content threat-defense system. It combines a hardened Safe Browsing gateway with curated open threat-intelligence feeds (URLHaus, HaGeZi, KADHosts, Anudeep). A Smart Detection master toggle plus per-feed switches govern active contributors; their scored verdicts feed the local SentinelCache and surface as block decisions through the Helmet Firewall toolbar and the ERR_BLOCKED interstitial. Everything runs inside the macOS App Sandbox β no listening sockets, all decisions client-side.
macOS-specific threats are our focus, as well as, Chromium-specific ones. Those kind of threats are taken very seriously by our TI enforcements techniques.
Component versions β What ships in the bundle
| Component | Version |
|---|---|
| Helmet Browser | 1.0.5 |
| Chromium base | 147.0.7727.117 |
| V8 JavaScript Engine | 14.7.173.20 β jitless, heap-sandboxed |
| DrumBrake WASM Interpreter | enabled (sole WASM path) |
| Blink / Skia | 147 (aligned) |
| ANGLE / WebRTC | DEPS-pinned to 147 |
| Mojo IPC | Chromium-integrated |
| WASM Exception Handling | EHv3 (full spec, interpreter-side) |
| SentinelCache | 500 MB / 10 slots |
Free vs Premium β Helmet Free vs Helmet Premium
Every Helmet install ships with the hardened-Chromium core, the native macOS security stack and Safe Browsing enabled. Premium adds the rest of the Web Browser Firewall β the HelmetOn deferred-throttle engine, the user-tunable behavioural controls, the rules subsystem and the in-product VirusTotal layer.
- App Sandbox β no listening sockets, no JIT/RWX pages, signed helper bundles only
- Hardened Runtime with library validation
- Mac App Store review + Gatekeeper + Apple notarization
- System Keychain trust store for TLS (Chromium pinned roots are not consulted)
- Keychain-backed at-rest encryption for sensitive preferences
- StoreKit-mediated commerce β no third-party payment SDKs embedded
- Privacy Manifests (PrivacyInfo.xcprivacy) for app and SDKs
- Mach-port rendezvous + pre-opened FDs for Mojo IPC bootstrap
- Layered .sb profiles (common / network / renderer / gpu)
- V8 Heap Sandbox + jitless V8
- DrumBrake WebAssembly interpreter
- Site isolation + out-of-process iframes (OOPIFs)
- Safe Browsing via Helmet gateway
- Safe Browsing (same gateway as Free)
- Helmet Smart Detection master toggle + per-contributor switches
- URLHaus malware URL feed (abuse.ch, JSON, tag-scored)
- HaGeZi Threat Intelligence feed
- KADHosts hosts-format feed
- Anudeep hosts-format feed
- Cross-domain host mismatch detection (SNI / cert subject vs. nav host)
- Content MIME-type mismatch detection
- Malicious AppleScript detection (beta)
- Malicious SVG detection (beta)
- Inspect localhost + RFC1918 subnets (opt-in)
- Blocking Mode / Silent Mode toggle
- URL Blocking Threshold slider (1β30, default 5)
- User Decision Timer (1β60 s, default 10 s)
- Default Period (60 s β Forever, default 60 s)
- Firewall Rules manager (edit / remove / add custom)
- VirusTotal integration with user-supplied Public API key
- Chrome Extensions opt-in (Web Store install gated)
Web Browser Firewall
Every protection feature, threshold and behaviour can be toggled or tuned from the Web Browser Firewall control panel; nothing is hidden behind command-line flags. The page is organised as a left-hand section index plus a scrolling content pane.
HelmetOn scoring engine β Deferred throttle by multi-contributor scoring
HelmetOn is Helmet's in-memory URL-check engine: every primary navigation is matched against the curated Threat Intel feeds on the request hot-path, with no out-of-process round-trip or network call to reach a verdict.
Its deferred throttle sums a weighted verdict from each contributor and blocks only once the aggregate crosses the user-configurable URL Blocking Threshold (default 5, range 1 β 30), so no single feed can block a benign URL on its own. Feeds refresh every 4 hours and write back into the verdict tables atomically.
VirusTotal integration β Native in-product
Helmet is the first web browser to natively integrate VirusTotal as a built-in, in-product URL inspection layer. No extension, no companion app β every URL about to be rendered or downloaded can be inspected against VirusTotal's 70+ antivirus engines and URL/domain scanners directly from the browser's request hot-path.
- User-supplied API key. The Public API key is entered in the Web Browser Firewall settings, validated in-product, and persisted only locally (Keychain-encrypted). Helmet ships no shared key and proxies no queries.
- Per-request inspection. The URL is submitted from the Helmet process; the response is folded into the same verdict pipeline as HelmetOn feeds.
- Privacy-preserving submission. The entire query-string is stripped before submission β only scheme, host, port and path are sent. Never the query parameters; never credentials.
- Quota visibility. Today's calls vs. daily allowance and a per-endpoint breakdown are live in the toolbar popover and the Service Status panel.
- Single-click pause. Toggleable from the Helmet Navigation menu β pauses all VT calls without disabling the rest of the Firewall.
- Plan-aware. Public (free) is supported today; Premium is reserved for the professional product line.
Process & sandbox model β Multi-process model under full App Sandbox
Helmet keeps Chromium's multi-process model β a browser process, per-origin renderers, a GPU process, a network service and utility helpers, each in its own sandbox β but reproduces it end-to-end inside Apple's App Sandbox rather than Chromium's bundled sandbox_mac seatbelt profile.
| What makes it hard | What Helmet does |
|---|---|
| Helper bundles, not fork+exec | Each child process ships as a signed helper bundle; the sandbox forbids posix_spawn of arbitrary executables. |
| Per-role entitlements | Each role gets a minimal entitlement variant β renderers have no network, the GPU helper no file access. |
| Layered .sb policies | Per-role profiles (common, network, renderer, gpu) narrow each process on top of entitlements. |
| IPC over Mach + pre-opened FDs | Mojo bootstraps over Mach-port rendezvous and pre-opened file descriptors. |
| No JIT, no RWX | Jitless V8 and the DrumBrake interpreter leave no executable memory in any process. |
| No listening sockets | Local-socket transports (CDP, DevTools) become parent-child pipes over pre-opened FDs. |
| Site isolation preserved | Per-site renderer isolation and OOPIFs work normally inside the tighter sandbox. |
Apple platform security
JS, WASM & rendering
Hardened build profile
Every release is built with a hardened security-and-privacy profile. The settings below are fixed at build time β they cannot be toggled at runtime by a user, policy or remote configuration.
- V8 Heap Sandbox enabled
- Jitless V8 (no JIT tiers)
- DrumBrake WASM interpreter as sole WASM path
- Official Optimized Build
- Whole-program ThinLTO
- macOS-native TLS trust (no NSS)
- Hardened Mac App Store build mode β auto-updater + JIT paths compiled out
- Stripped unwind tables in release binaries
- No in-app auto-updater (updates flow via MAS)
- No Field Trials / Variations ("Finch")
- No Reporting API / NEL upload
- No Chrome Remote Desktop host/client
- No Hangouts / Meet helper extension
- No mDNS / Multicast DNS broadcast surface
- No DIAL / Cast service discovery
- Empty Google API credentials β code paths fail closed
- No Chrome branding or trademarked resources
- No Chrome-internal Clang plugins
- Honest version reporting (real Chromium version, never spoofed)
Removed / disabled surfaces
| Surface | State in Helmet |
|---|---|
| GAIA sign-in | WebUI removed; screens kept as no-ops so upstream paths still link. |
| Pre-rendering | Prerender2 disabled β sandbox-incompatible and leaks navigation intent. |
| Safe Browsing telemetry | Upstream googleapis.com pings replaced by the Helmet gateway. |
| Google Cloud Messaging | Disabled β no push channel to Google servers. |
| Field Trials / Variations | Removed β no remote configuration can be pushed to Helmet. |
| UMA / UKM histograms | Local-only β nothing exfiltrated. |
| Crash reporting | Local listing only β no upload to Google. |
| NetLog upload | Local-only. |
| Domain Reliability / NEL | Disabled. |
| Translate, Topics API, Privacy Sandbox, FedCM | Disabled on the upstream surface. |
| Password save / leak detection | Default OFF (upstream default: ON). |
| Spell-check remote suggestions | Disabled β local OS spellchecker only. |
| Feedback channel | Not routed to Google. |
| Remote DevTools host | Remote frontend blocked β DevTools served locally only. |
| Web Store install path | Disabled; CRX self-hosting paths gated. |
Ready to try it?
Helmet ships exclusively through the Mac App Store β universal binary for Apple Silicon and Intel Macs.