[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #15563 [Applications/Tor Browser]: ServiceWorkers violate first party isolation, probably



#15563: ServiceWorkers violate first party isolation, probably
-------------------------------------------------+-------------------------
 Reporter:  arthuredelstein                      |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-linkability, ff68-esr, tbb-9.0   |  Actual Points:
  -must-alpha                                    |
Parent ID:                                       |         Points:  1
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor44-can
-------------------------------------------------+-------------------------

Comment (by sysrqb):

 Replying to [comment:18 acat]:
 > AFAIK, service workers APIs should not be usable in private browsing
 mode, `navigator.serviceWorker` is not present in that case. So in mobile
 they have flipped the serviceworker pref but as long as we only have
 private windows it should not be usable. Should we still investigate this
 for `browser.privatebrowsing.autostart = false`?

 We should disable `dom.serviceWorkers.enabled` on mobile. We don't support
 `browser.privatebrowsing.autostart = false`, but we know some people use
 Tor Browser like that, regardless of the consequences. In the longer term,
 we should make sure ServiceWorkers do not violate FPI when used in non-
 private browsing mode, but I don't think verifying this now is worth the
 effort.

 I'll open a ticket for disabling it on Android (for the people who use
 non-private browsing mode).

 I support closing this ticket as done, and opening another ticket
 specifically for non-private browsing mode, so we don't forget about this
 in the future.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15563#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs