Opened 5 years ago

Last modified 6 months ago

#15563 new defect

ServiceWorkers violate first party isolation, probably

Reported by: arthuredelstein Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, ff78-esr, BugSmashFund
Cc: gk, traumschule Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description

I haven't looked at ServiceWorkers (starting Firefox 33) closely, but I think they likely violate first party isolation. A brief look at some code in mozilla-central suggests that we may be able to use the same code to isolate SharedWorkers and ServiceWorkers by first party domain.

Child Tickets

Change History (24)

comment:1 Changed 5 years ago by arthuredelstein

Component: - Select a componentTor Browser
Keywords: tbb-linkability added
Owner: set to tbb-team

comment:2 Changed 5 years ago by gk

Cc: gk added
Keywords: ff38-esr added

comment:3 Changed 5 years ago by mikeperry

Keywords: ff45-esr added; ff38-esr removed
Summary: ServiceWorkers (arriving FF33) violate first party isolation, probablyServiceWorkers violate first party isolation, probably

ServiceWorkers are still disabled by pref in FF38.

comment:4 Changed 5 years ago by gk

Don't forget the associated CacheStorage/Cache interfaces: https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage.

comment:5 in reply to:  4 Changed 5 years ago by gk

Priority: normalmajor

Replying to gk:

Don't forget the associated CacheStorage/Cache interfaces: https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage.

This landed in Firefox 39 (https://bugzilla.mozilla.org/show_bug.cgi?id=940273).

comment:6 Changed 4 years ago by gk

Keywords: ff52-esr added; ff45-esr removed
Severity: Normal

This is disabled in ESR 45 moving it on the ESR 52 radar. This holds for the Push API as well. See: https://hg.mozilla.org/releases/mozilla-esr45/rev/67317aa69b40.

comment:7 Changed 4 years ago by gk

comment:8 Changed 3 years ago by gk

Keywords: ff59-esr added; ff52-esr removed

It's still off in ESR 52: https://bugzilla.mozilla.org/show_bug.cgi?id=1338144, moving to ESR 59 tasks

comment:9 Changed 2 years ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:10 Changed 2 years ago by gk

Keywords: ff67-esr added; ff60-esr removed

Will still be disabled in ESR 60: https://bugzilla.mozilla.org/show_bug.cgi?id=1457915. However, we might need to do something about it much earlier for the mobile context...

comment:11 Changed 23 months ago by arthuredelstein

Keywords: ff68-esr added; ff67-esr removed

Version 68 of Firefox will be the next ESR.

comment:12 Changed 21 months ago by gk

Cc: traumschule added

Don't forget Push. Resolved #27729 as a duplicate.

comment:13 Changed 12 months ago by gk

Still disabled in Firefox ESR 68 on desktop but *not* mobile. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1557565.

comment:15 Changed 10 months ago by pili

Sponsor: Sponsor44-can

Adding Sponsor 44 to ESR68 tickets

comment:16 Changed 9 months ago by gk

Keywords: tbb-9.0-must-alpha added

comment:17 Changed 9 months ago by pili

Points: 1

comment:18 Changed 9 months ago by acat

Status: newneeds_information

AFAIK, service workers APIs should not be usable in private browsing mode, navigator.serviceWorker is not present in that case. So in mobile they have flipped the serviceworker pref but as long as we only have private windows it should not be usable. Should we still investigate this for browser.privatebrowsing.autostart = false?

comment:19 in reply to:  18 Changed 9 months ago by sysrqb

Replying to acat:

AFAIK, service workers APIs should not be usable in private browsing mode, navigator.serviceWorker is not present in that case. So in mobile they have flipped the serviceworker pref but as long as we only have private windows it should not be usable. Should we still investigate this for browser.privatebrowsing.autostart = false?

We should disable dom.serviceWorkers.enabled on mobile. We don't support browser.privatebrowsing.autostart = false, but we know some people use Tor Browser like that, regardless of the consequences. In the longer term, we should make sure ServiceWorkers do not violate FPI when used in non-private browsing mode, but I don't think verifying this now is worth the effort.

I'll open a ticket for disabling it on Android (for the people who use non-private browsing mode).

I support closing this ticket as done, and opening another ticket specifically for non-private browsing mode, so we don't forget about this in the future.

comment:20 Changed 8 months ago by gk

Keywords: ff68-esr tbb-9.0-must-alpha removed
Status: needs_informationnew

Let's keep this ticket for now to have a single point for all the context around this feature. Disabling ServiceWorkers landed on tor-browser-68.1.0esr-9.0-2 (commit 726047a459acf9d8c26fcfdd72584f0196dd60ce) (see comment:30:ticket:31010 for more context).

Let's remove it from our ESR 68 radar, though.

comment:21 Changed 8 months ago by gk

Keywords: ff76-esr added

comment:22 Changed 8 months ago by gk

Keywords: ff78-esr added; ff76-esr removed

There is no 76 ESR.

comment:23 Changed 6 months ago by pili

Keywords: BugSmashFund added

BugSmashFund can be used for the ESR work done so far

comment:24 Changed 6 months ago by pili

Sponsor: Sponsor44-can

Sponsor 44 only covered PM and Team Lead work

Note: See TracTickets for help on using tickets.