Opened 5 years ago

Last modified 2 weeks ago

#15563 new defect

ServiceWorkers violate first party isolation, probably

Reported by: arthuredelstein Owned by: tbb-team
Priority: High Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-linkability, ff78-esr
Cc: gk, traumschule Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor: Sponsor44-can

Description

I haven't looked at ServiceWorkers (starting Firefox 33) closely, but I think they likely violate first party isolation. A brief look at some code in mozilla-central suggests that we may be able to use the same code to isolate SharedWorkers and ServiceWorkers by first party domain.

Child Tickets

Change History (22)

comment:1 Changed 5 years ago by arthuredelstein

Component: - Select a componentTor Browser
Keywords: tbb-linkability added
Owner: set to tbb-team

comment:2 Changed 5 years ago by gk

Cc: gk added
Keywords: ff38-esr added

comment:3 Changed 4 years ago by mikeperry

Keywords: ff45-esr added; ff38-esr removed
Summary: ServiceWorkers (arriving FF33) violate first party isolation, probablyServiceWorkers violate first party isolation, probably

ServiceWorkers are still disabled by pref in FF38.

comment:4 Changed 4 years ago by gk

Don't forget the associated CacheStorage/Cache interfaces: https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage.

comment:5 in reply to:  4 Changed 4 years ago by gk

Priority: normalmajor

Replying to gk:

Don't forget the associated CacheStorage/Cache interfaces: https://developer.mozilla.org/en-US/docs/Web/API/CacheStorage.

This landed in Firefox 39 (https://bugzilla.mozilla.org/show_bug.cgi?id=940273).

comment:6 Changed 4 years ago by gk

Keywords: ff52-esr added; ff45-esr removed
Severity: Normal

This is disabled in ESR 45 moving it on the ESR 52 radar. This holds for the Push API as well. See: https://hg.mozilla.org/releases/mozilla-esr45/rev/67317aa69b40.

comment:7 Changed 3 years ago by gk

comment:8 Changed 3 years ago by gk

Keywords: ff59-esr added; ff52-esr removed

It's still off in ESR 52: https://bugzilla.mozilla.org/show_bug.cgi?id=1338144, moving to ESR 59 tasks

comment:9 Changed 21 months ago by gk

Keywords: ff60-esr added; ff59-esr removed

Firefox 60 is the new ESR.

comment:10 Changed 18 months ago by gk

Keywords: ff67-esr added; ff60-esr removed

Will still be disabled in ESR 60: https://bugzilla.mozilla.org/show_bug.cgi?id=1457915. However, we might need to do something about it much earlier for the mobile context...

comment:11 Changed 15 months ago by arthuredelstein

Keywords: ff68-esr added; ff67-esr removed

Version 68 of Firefox will be the next ESR.

comment:12 Changed 13 months ago by gk

Cc: traumschule added

Don't forget Push. Resolved #27729 as a duplicate.

comment:13 Changed 4 months ago by gk

Still disabled in Firefox ESR 68 on desktop but *not* mobile. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1557565.

comment:15 Changed 2 months ago by pili

Sponsor: Sponsor44-can

Adding Sponsor 44 to ESR68 tickets

comment:16 Changed 6 weeks ago by gk

Keywords: tbb-9.0-must-alpha added

comment:17 Changed 6 weeks ago by pili

Points: 1

comment:18 Changed 4 weeks ago by acat

Status: newneeds_information

AFAIK, service workers APIs should not be usable in private browsing mode, navigator.serviceWorker is not present in that case. So in mobile they have flipped the serviceworker pref but as long as we only have private windows it should not be usable. Should we still investigate this for browser.privatebrowsing.autostart = false?

comment:19 in reply to:  18 Changed 3 weeks ago by sysrqb

Replying to acat:

AFAIK, service workers APIs should not be usable in private browsing mode, navigator.serviceWorker is not present in that case. So in mobile they have flipped the serviceworker pref but as long as we only have private windows it should not be usable. Should we still investigate this for browser.privatebrowsing.autostart = false?

We should disable dom.serviceWorkers.enabled on mobile. We don't support browser.privatebrowsing.autostart = false, but we know some people use Tor Browser like that, regardless of the consequences. In the longer term, we should make sure ServiceWorkers do not violate FPI when used in non-private browsing mode, but I don't think verifying this now is worth the effort.

I'll open a ticket for disabling it on Android (for the people who use non-private browsing mode).

I support closing this ticket as done, and opening another ticket specifically for non-private browsing mode, so we don't forget about this in the future.

comment:20 Changed 2 weeks ago by gk

Keywords: ff68-esr tbb-9.0-must-alpha removed
Status: needs_informationnew

Let's keep this ticket for now to have a single point for all the context around this feature. Disabling ServiceWorkers landed on tor-browser-68.1.0esr-9.0-2 (commit 726047a459acf9d8c26fcfdd72584f0196dd60ce) (see comment:30:ticket:31010 for more context).

Let's remove it from our ESR 68 radar, though.

comment:21 Changed 2 weeks ago by gk

Keywords: ff76-esr added

comment:22 Changed 2 weeks ago by gk

Keywords: ff78-esr added; ff76-esr removed

There is no 76 ESR.

Note: See TracTickets for help on using tickets.