Opened 4 years ago

Last modified 6 months ago

#15563 new defect

ServiceWorkers violate first party isolation, probably

Reported by: arthuredelstein Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, ff68-esr
Cc: gk, traumschule Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I haven't looked at ServiceWorkers (starting Firefox 33) closely, but I think they likely violate first party isolation. A brief look at some code in mozilla-central suggests that we may be able to use the same code to isolate SharedWorkers and ServiceWorkers by first party domain.

Child Tickets

Change History (12)

comment:1 Changed 4 years ago by arthuredelstein

Component: - Select a componentTor Browser
Keywords: tbb-linkability added
Owner: set to tbb-team

comment:2 Changed 4 years ago by gk

Cc: gk added
Keywords: ff38-esr added

comment:3 Changed 4 years ago by mikeperry

Keywords: ff45-esr added; ff38-esr removed
Summary: ServiceWorkers (arriving FF33) violate first party isolation, probablyServiceWorkers violate first party isolation, probably

ServiceWorkers are still disabled by pref in FF38.

comment:4 Changed 4 years ago by gk

Don't forget the associated CacheStorage/Cache interfaces: https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage.

comment:5 in reply to:  4 Changed 4 years ago by gk

Priority: normalmajor

Replying to gk:

Don't forget the associated CacheStorage/Cache interfaces: https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage.

This landed in Firefox 39 (https://bugzilla.mozilla.org/show_bug.cgi?id=940273).

comment:6 Changed 3 years ago by gk

Keywords: ff52-esr added; ff45-esr removed
Severity: Normal

This is disabled in ESR 45 moving it on the ESR 52 radar. This holds for the Push API as well. See: https://hg.mozilla.org/releases/mozilla-esr45/rev/67317aa69b40.

comment:7 Changed 2 years ago by gk

comment:8 Changed 2 years ago by gk

Keywords: ff59-esr added; ff52-esr removed

It's still off in ESR 52: https://bugzilla.mozilla.org/show_bug.cgi?id=1338144, moving to ESR 59 tasks

comment:9 Changed 14 months ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:10 Changed 11 months ago by gk

Keywords: ff67-esr added; ff60-esr removed

Will still be disabled in ESR 60: https://bugzilla.mozilla.org/show_bug.cgi?id=1457915. However, we might need to do something about it much earlier for the mobile context...

comment:11 Changed 8 months ago by arthuredelstein

Keywords: ff68-esr added; ff67-esr removed

Version 68 of Firefox will be the next ESR.

comment:12 Changed 6 months ago by gk

Cc: traumschule added

Don't forget Push. Resolved #27729 as a duplicate.

Note: See TracTickets for help on using tickets.