[tor-bugs] #15563 [Applications/Tor Browser]: ServiceWorkers violate first party isolation, probably
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Sep 19 19:33:03 UTC 2019
#15563: ServiceWorkers violate first party isolation, probably
-------------------------------------------------+-------------------------
Reporter: arthuredelstein | Owner: tbb-
| team
Type: defect | Status:
| needs_information
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-linkability, ff68-esr, tbb-9.0 | Actual Points:
-must-alpha |
Parent ID: | Points: 1
Reviewer: | Sponsor:
| Sponsor44-can
-------------------------------------------------+-------------------------
Comment (by sysrqb):
Replying to [comment:18 acat]:
> AFAIK, service workers APIs should not be usable in private browsing
mode, `navigator.serviceWorker` is not present in that case. So in mobile
they have flipped the serviceworker pref but as long as we only have
private windows it should not be usable. Should we still investigate this
for `browser.privatebrowsing.autostart = false`?
We should disable `dom.serviceWorkers.enabled` on mobile. We don't support
`browser.privatebrowsing.autostart = false`, but we know some people use
Tor Browser like that, regardless of the consequences. In the longer term,
we should make sure ServiceWorkers do not violate FPI when used in non-
private browsing mode, but I don't think verifying this now is worth the
effort.
I'll open a ticket for disabling it on Android (for the people who use
non-private browsing mode).
I support closing this ticket as done, and opening another ticket
specifically for non-private browsing mode, so we don't forget about this
in the future.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15563#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list