A from-scratch browser engine engineered to obliterate tracking, crush fingerprinting, and restore user sovereignty with extreme technical precision.
Version: 0.1.0-alpha (Servo Integration Release)
🚨 THIS IS ALPHA SOFTWARE - USE AT YOUR OWN RISK 🚨
- NOT FOR PRODUCTION USE: This software is experimental and under active development
- EXPECT BUGS: Features may not work as expected, crash, or behave unpredictably
- DATA LOSS POSSIBLE: Do not rely on this software for critical browsing or data storage
- SECURITY VULNERABILITIES: Alpha software may contain security flaws - do not use for sensitive activities
- NO WARRANTY: This software is provided "as is" without any warranty of any kind
- BREAKING CHANGES: APIs, features, and functionality may change dramatically between releases
- NOT RESPONSIBLE: We are not responsible if this software causes any issues, including but not limited to:
- System crashes or instability
- Data corruption or loss
- Security breaches
- Being eaten by a Gru
- Spontaneous combustion of your computer
- Temporal paradoxes
- Existential crises
- Or any other unforeseen consequences
By using this software, you acknowledge that you understand these risks and use it entirely at your own discretion.
For comprehensive documentation about Citadel Browser, please see the docs/ directory:
- Documentation Overview - Complete guide to all documentation
- Release Information - Changelog and release notes
- Architecture & Design - Technical documentation and philosophy
- Development - Contributing guidelines and security practices
🎉 ALPHA RELEASE - SERVO INTEGRATION COMPLETE 🎉 The browser now successfully renders real websites with Servo engine integration!
- ✅ Core architecture and component interfaces defined
- ✅ Servo HTML parser integration (Kuchiki-based) - MAJOR MILESTONE
- ✅ Real website rendering capabilities - Now browses sites like example.com
- ✅ 93% test success rate (26/28 tests passing)
- ✅ Basic unit tests for all components
- ✅ Continuous integration and testing infrastructure
- ✅ Vertical tabs implemented and enabled by default
- ✅ Tab bar visibility controls
- ✅ UI customization (theme settings, layout preferences)
- ✅ Privacy-first networking layer with LOCAL_CACHE as default DNS mode
- ✅ Privacy-preserving DNS resolver with local caching
- ✅ HTTPS-only secure connections
- ✅ Privacy-enhancing request headers
- ✅ Tracking parameter removal from URLs
- ✅ Header fingerprint randomization
- ✅ JavaScript engine integration with rquickjs
- ✅ DOM bindings for JavaScript execution
- ✅ Security policies for script execution and CSP compliance
- ✅ JavaScript engine tests with DOM integration (all passing)
- ✅ Production-ready HTML parsing with Servo components
- ✅ Taffy layout engine integration
- 🔄 Enhancing additional privacy and security features
- 🔄 Implementing advanced browsing functionality
✅ What Works:
- Parse and render real HTML from the web
- Navigate to websites (example.com, static sites)
- Privacy-first networking with HTTPS enforcement
- Tab management and UI controls
- JavaScript execution in sandboxed environment
- CSS parsing and basic styling
- DOM manipulation and security filtering
🚧 Known Limitations:
- Complex web applications may have issues
- Some modern web APIs not yet implemented
- Limited multimedia support
- Basic developer tools only
Citadel isn't just a browser engine—it's a declaration of digital human rights. We're built for those who understand that privacy is not a luxury—it's a fundamental necessity.
In an era where users are treated as products and their data harvested without consent, we're taking a scorched-earth approach to browser privacy that makes surveillance capitalism weep.
Open-source. Uncompromising. Zero-tracking. Future-proof.
Privacy isn't just a feature. It's the entire point of our existence.
Zero compromise on user control over their digital experience.
Users control their data with no forced third-party dependencies.
Dynamic blocklists + machine learning detection that annihilates even the most persistent tracking attempts.
Canvas fingerprinting prevention, hardware API restriction, and tactical noise injection to mask your digital identity.
Per-site process isolation with strict content security policies and cross-site data access prevention.
User-controlled DNS resolution, minimal HTTP headers, and connection fingerprint randomization.
First-party isolation, automatic expiration, and granular user-controlled storage permissions.
Granular privacy controls, transparent data logs, and one-click protection escalation.
Citadel is built with these core components, all implemented with Rust's strong encapsulation features:
- Servo Integration: Production-ready HTML parsing using Kuchiki (Servo-based)
- HTML5ever Backend: Robust HTML5 parsing with proper TreeSink implementation
- Security-Preserving: All parsing maintains Citadel's privacy and security guarantees
- Real Website Support: Successfully parses and renders actual web content
- Attack surface minimization through careful API implementation and selective standard support
- Security-first input handling designed to fail closed rather than open when encountering edge cases
- Integrated rquickjs engine with hardcore sandbox environment and surgically removed tracking APIs
- DOM bindings implemented with security policies and CSP compliance enforcement
- Privacy-preserving execution with zero external data transmission capabilities for scripts
- Comprehensive test suite with DOM integration and security validation (all tests passing)
- Performance-optimized execution that doesn't sacrifice security for convenience
- User-controlled DNS resolution with local cache by default and no reliance on third-party DNS services
- HTTPS-or-die approach that defaults to secure connections and hardens TLS implementation
- Connection fingerprint randomization to prevent server-side tracking and correlation
- Real-world tested: Successfully fetches and renders content from live websites
- Granular privacy controls that give users complete visibility and authority over their data
- Transparent data transmission logs showing exactly what information websites are attempting to access
- Vertical tabs by default for improved usability and efficient screen space utilization
- Alpha-grade UI with basic browsing functionality
The networking layer is the foundation of Citadel's privacy-preserving architecture:
- Local Cache by Default: Minimize network requests that could be tracked
- No Third-Party DNS Services: We never use external DNS services without your explicit consent
- Optional Secure DNS: Support for DNS over HTTPS (DoH) and DNS over TLS (DoT) as user options
- Normalized TTLs: Prevent timing-based tracking through DNS
- HTTPS Only: All connections must use HTTPS for privacy and security
- Strict TLS: Modern, secure TLS configurations
- Certificate Validation: Thorough certificate checking
- Connection Security Levels: Configure security vs. compatibility
- Real-World Tested: Successfully connecting to and rendering actual websites
- Header Management: Remove or normalize headers that could be used for tracking
- Fingerprint Randomization: Prevent browser fingerprinting through request headers
- User-Agent Control: Randomize or normalize your User-Agent
- URL Cleaning: Automatically strip tracking parameters from URLs
- Privacy Levels: Configure maximum, high, or balanced privacy settings
- Tab Management
- Vertical Tabs: Enabled by default for better screen utilization and improved tab visibility
- Tab Bar Visibility: Toggle tab bar on/off with Ctrl+H
- Tab Layout: Switch between vertical and horizontal tabs with Ctrl+Shift+V
- Theme Support: Choose between light, dark, or system theme
- User Sovereignty: All privacy decisions are in your hands
- No Third-Party Dependencies: Local cache for DNS by default - no data sent to third-party DNS providers
- Zero Tracking: No fingerprinting, no tracking, no exceptions
- Alpha-Grade Security: Core security features implemented and tested (93% test pass rate)
All major components in Citadel use Rust's powerful module system, which provides:
- Improved Encapsulation: Implementation details are hidden from the public interface
- Memory Safety: Rust's ownership system eliminates entire classes of bugs
- Fearless Concurrency: Safe concurrent code without data races
- Zero-Cost Abstractions: High-level concepts without runtime overhead
- Cleaner Code Organization: Clear separation between interface and implementation
Citadel Browser is primarily designed for macOS, with limited Linux support for unit testing and development purposes.
- macOS: Primary platform with full feature support
- Linux: Limited support for development and testing only
- Rust and Cargo (latest stable)
- macOS 11.0+ (Big Sur or newer)
- Xcode Command Line Tools
- For Linux development/testing only:
- pkg-config
- OpenSSL dev packages
- Fontconfig dev packages
git clone https://github.com/citadel-browser/citadel-browser-rust.git
cd citadel-browser-rust
cargo buildcargo test
# Expected: 26/28 tests passing (93% success rate)# Test HTML parsing with Servo integration
cargo run --example html_parse_test
# Test full pipeline including networking and rendering
cargo run --example full_pipeline_test# Run the browser with basic website
cargo run -- --url https://example.comcitadel-browser-rust/
├── Cargo.toml # Workspace configuration
├── crates/ # Rust crates
│ ├── networking/ # Privacy-preserving networking components
│ │ ├── src/ # Source code
│ │ │ ├── dns.rs # Privacy-focused DNS resolver
│ │ │ ├── request.rs # Privacy-enhancing HTTP requests
│ │ │ ├── response.rs # HTTP response handling
│ │ │ ├── connection.rs # Secure connection management
│ │ │ ├── resource.rs # Resource fetching
│ │ │ ├── error.rs # Error handling
│ │ │ └── lib.rs # Library entry point
│ │ ├── examples/ # Usage examples
│ │ └── tests/ # Integration tests
│ ├── parser/ # HTML/CSS/JS parsing components with integrated JS engine
│ │ ├── src/ # Source code
│ │ │ ├── html/ # Servo-integrated HTML parsing
│ │ │ │ ├── mod.rs # Main HTML parsing module
│ │ │ │ └── converter.rs # Kuchiki to Citadel DOM conversion
│ │ │ ├── js/ # JavaScript engine integration (rquickjs)
│ │ ├── examples/ # HTML parsing tests and demos
│ │ └── tests/ # Parser tests
│ ├── privacy/ # (Coming soon) Privacy enhancement system
│ ├── security/ # (Coming soon) Security enforcement system
│ └── ui/ # (Coming soon) User interface components
├── examples/ # Integration examples and tests
│ ├── html_parse_test.rs # Basic HTML parsing test
│ └── full_pipeline_test.rs # Complete pipeline demonstration
└── tests/ # Integration tests
✅ COMPLETE: Core engine implementation with fundamental privacy protections:
- ✅ Servo HTML parser integration with Kuchiki
- ✅ Real website rendering capabilities
- ✅ Parser and JavaScript engine with tracking API removal
- ✅ Basic networking layer with HTTPS enforcement
- ✅ Initial fingerprinting protection implementation
- ✅ 93% test success rate
- ✅ Production-ready HTML parsing
Enhanced protection and performance improvements:
- Machine learning tracker detection
- Advanced fingerprinting countermeasures
- User interface with privacy controls and real-time tracking visualization
- Enhanced multimedia support
- Web developer tools
Fully-featured browser with comprehensive privacy protection:
- Complete engine integration with all privacy modules
- Cross-platform support (desktop and mobile)
- Extension API with strict privacy requirements
- Advanced web standards support
Beyond the horizon:
- Advanced threat intelligence integration
- Privacy-preserving cloud syncing (optional)
- Enhanced OS integration with system-wide privacy controls
Citadel is currently in alpha with real browsing capabilities. Help us build a more private, more secure web experience for everyone.
We welcome contributions that align with our vision of uncompromising privacy and security. Please read docs/development/CONTRIBUTING.md for details on our code of conduct and the process for submitting pull requests.
This project is licensed under the MIT License
Inspired by those who believe in digital autonomy and the right to privacy in an increasingly surveilled digital landscape.
Special thanks to the Servo team for their groundbreaking work on web browser engine components that power our HTML parsing capabilities.
See docs/design/DESIGN.md for comprehensive information about project architecture and philosophy.
© 2025 Citadel Browser. Open-source. Uncompromising. Zero-tracking.
Citadel is built with a security-first mindset. We use several approaches to ensure our code is robust:
# Run the standard test suite
cargo test
# Run integration tests
cargo test --test '*'
# Current results: 26/28 tests passing (93% success rate)# Test Servo HTML parsing integration
cargo run --example html_parse_test
# Test full pipeline with networking
cargo run --example full_pipeline_testWe employ aggressive fuzzing to discover and fix security issues before they reach production:
# Switch to nightly Rust (required for fuzzing)
rustup default nightly
# Install LLVM tools component
rustup component add llvm-tools-preview
# Install cargo-fuzz (required for fuzzing)
cargo install cargo-fuzz
# Generate corpus for more effective fuzzing
./fuzz/scripts/generate_corpus.sh
# Run all fuzzers with enhanced memory checking
./fuzz/scripts/run_all_fuzzers.sh
# Or run individual fuzzers with dictionaries
cd fuzz && cargo fuzz run dns_resolver corpus/dns_resolver -dict=dictionaries/dns.dictEach fuzzer uses dictionaries and corpus files specifically designed to test edge cases and potential security vulnerabilities. Our CI automatically runs these fuzzers on every commit to ensure continuous security testing.
See docs/development/FUZZING.md for our complete fuzzing strategy and details on how to contribute to our security efforts.
Any fuzzing failures are considered critical build failures and must be addressed immediately to maintain our security standards.
