-
-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get rid of service workers. #545
Comments
List of examples : What about those websites ? Because if you disable them :
The result is very simple (clear), the(se) website(s) won't work. PS : Yes it's just a warning. |
Sorry, can't confirm. I must say that I have tested the websites with Firefox 60 ESR on the go, which has service workers disabled by default, and they both work. It's more likely that they break for you due to other factors. Would be nice if you could double-check with a clean (without any add-ons or config changes) profile of Firefox 60 ESR which will have service workers disabled by default. Needless to say, I think it's safe to disable those settings when even Mozilla does it in their FF 60 ESR builds. This tells us two things:
And again, Pale Moon has disabled them as well and appears to be fully functional, as is Firefox 60 ESR. |
I understand @Peacock365 but right now, I just can't. Because at this moment, I'm still using Waterfox and I'm busy (IRL etc). PS : To resume, I had never use PaleMoon but perhaps (soon or later) I will give also a chance to Firefox-v60-ESR. Because I need at least 2 addons (Refresh Blocker, Cookie Keeper, etc) and that's why I might one day give another chance to Cyberfox. |
Thank you for the haeds-up, I did not know about that stuff. And some were actually installed on my waterfox, from youtube and from a newspaper. I don't care whether there is a website that needs them - as long as I'm not comfortable with what they do (which as you say we don't really know) and as long as they don't ask for permission - I want them gone. https://www.ghacks.net/2016/03/02/manage-service-workers-in-firefox-and-chrome/ wrote:
This is something I will never want. And virustotal.com works with or without serviceworkers. It did not store any. It does not work in my heavily configured Firefox ESR though - some other setting must be blocking it (probably disabling all workers does). |
they require dom workers. |
Service workers are a very bad thing. They are able to intercept your networking traffic(!) and sit permanently in the background. They won't get deleted when you delete cookies. They are even more advanced than cookies, yet only a few people out there know about them apparently. The only good reason to have them installed is when a site uses push notifications, but then again I wouldn't allow push notifications in exchange for a permanent entity that sits in the background and intercepts my traffic. Most sites don't even use them for push notifications though, to them they are advanced cookies. Fortunately, they are not required for sites to work (i.e. to display correctly) in the vast majority of cases. As I said, Mozilla and the Pale Moon team both consider it safe to disable them. No idea why they are enabled in Waterfox, I assume @MrAlex94 hasn't had time to disable them yet. |
As I said, *Mozilla* and the Pale Moon team both consider it safe to
disable them. No idea why they are enabled in Waterfox, I assume @MrAlex94
<https://github.com/MrAlex94> hasn't had time to disable them yet.
No idea where you're getting that idea? Service workers have been enabled
since Firefox 44. It's disabled in ESR because Mozilla didn't want to
backport patches for it (which I have been doing).
https://hg.mozilla.org/releases/mozilla-release/file/8d923c29717c/browser/app/profile/firefox.js
…On 16 May 2018 at 17:10, Peacock365 ***@***.***> wrote:
@ilu33 <https://github.com/ilu33>
Service workers are a very bad thing. They are able to intercept your
networking traffic(!) and sit permanently in the background. They won't get
deleted when you delete cookies. They are even more advanced than cookies,
and only a few people out there know about them apparently.
The only good reason to have them installed is when a site uses push
notifications, but then again I wouldn't allow push notifications in
exchange for a permanent entity that sits in the background and intercepts
my traffic.
Fortunately, they are not required for sites to work (i.e. to display
correctly) in the vast majority of cases. As I said, Mozilla and the Pale
Moon team both consider it safe to disable them. No idea why they are
enabled in Waterfox, I assume @MrAlex94 <https://github.com/MrAlex94>
hasn't had time to disable them yet.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#545 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEgoWEzD8MfRA2VootrLV_W-wCJ5gFawks5tzE9igaJpZM4T3ZJR>
.
|
But then again, they are a bad thing. They do intercept network traffic, are sitting in the background, and install themselves silently. So... With all due respect, I think they need to go ASAP. PS:
He has a point, hasn't he? |
Stop misrepresenting a news article you read and didn't comprehend. as Alex has said, they are enabled on all non-esr builds of firefox including 60. |
Ahem, read the first post again. There I stated that I meant the ESR release. It's been up there since 8 days. That's not even altering my point though. I doubt Mozilla would release any browser version, be it Release, ESR, Beta, Nightly... you name it, with an essential feature not being present. Mozilla makes sure that ESR users are not experiencing broken websites, and as you can see, they did not find that service workers were strictly required at all. Same goes for Pale Moon by the way. What is their purpose after all? Push and traffic interception, that's about it. Makes me think you love services silently installing themselves without your permission. Good for you. Before you go full ballistic on me, talk with Moonchild about those service workers, he will explain to you how they are unnecessary junk better than I ever could. |
This is one of the many no-go things mozilla has done in the last years, which have completely destroyed my trust:
If you could set that option to : "ask the user" that would be ok, but as things are it has to be disabled. |
I feel like this issue is a lost cause. Nobody needs service workers, ever, no site breaks because of service workers missing, ever. And yet we have to keep them for no reason. Makes no sense. |
Well, even if and when they become more widespread, that doesn't mean that anybody would need to have them enabled. Service workers --> do not <-- play any part in the rendering of a website. No part, whatsoever. They are scripts being initiated by the site, and are sitting in the background. There is a valid use case for this, which is Push notifications. Some sites would want to inform you about certain topics without being open at the moment. Cookies (or more precisely: their specification) did not cut it when sites wished for that functionality to be created, so service workers were invented. Most service workers, however, act as a kind of cookie, intercepting traffic in the background. They don't get deleted with cookies, many site operators are aware of the fact that most users are unaware of service workers. YouTube is a site which initiates a service worker. YouTube also sets cookies. When you delete the cookie, you are not deleting the service worker and vice versa. Now ask yourself: Have you ever received a Push notification from YouTube? No? Well, that's because YouTube uses them as a sort of cookie+, and as a backup plan in case you delete their regular cookie or use an extension that does so. Will YouTube break because the service worker can't be set? Of course not, as they are not playing any part in the rendering process. They are unnecessary, as useful as teeth would be for a butterfly. They do impair your privacy, however, as they tend to intercept traffic.
"Riddance" in this case means "disabled", not "deleted". If you want to enable them, by all means go ahead. I'd never do that, as I can do without yet another form of tracking. Why would I want them enabled when the site builds up just fine with them disabled? Apparently your thumbs down sits a bit loose today, @grahamperrin, and so does mine. Before you write anything about them you should inform yourself about the things they are needed for or aren't needed for. If you are afraid of sites breaking, then I can calm your fears: They won't. PS: Giving a thumbs down to any and all posts I have written in this thread, despite me making a valid argument, is not helping you one bit. Not that I should care, it's disqualifying you, not me. Grow up. |
You are ill-informed. Period. Service workers have nothing to do with rendering, so to suggest that sites will suddenly break (while having them disabled) when they become more common is nonsensical. Sorry to say. |
Wait for what? There is no need to share this thread beyond the scope of this GitHub page, of which it is already part. The decision is an easy one in this case:
By the way... I have viewed the following sites with service workers disabled, zero breakage so far: Zero breakage. Nada. And some of them should have an interest in tracking users. |
I'd also be in favor of disabling them. It's true that there are a few advantages enabled service workers have, like push notifications. But service workers can intercept network traffic. And they can be installed and used without the user's consent. Unlike Mozilla, Waterfox should care about their user's privacy. |
I agree. Waterfox should follow Pale Moon's example and turn them off by default. If this is considered "too radical" an approach, the very least I would expect from Waterfox would be to expose Push notifications as a setting in the preferences tab, which people may use to choose whether they want to have their privacy impaired by service workers, or not. Although I'm very much in favor of disabling them altogether for the sake of privacy, and in case such an option is created, to make it opt-in instead of opt-out. |
I'd consider this a compromise: Create a checkbox in the preferences tab which controls dom.serviceWorkers.enabled and dom.push.enabled. Whether this is opt-in (which I would favor) or opt-out (which @MrAlex94 would probably favor) is up for debate. But in general, the creation of such a checkbox would be a good move in my book. |
I have yet to see any argument why serviceworkers need to be active beyond those push notifications that no site uses anyway. And I would not be willing to pay for that potential gain with a privacy loss that high. But if we want to hear arguments we should keep it civil. No need to get into attack mode. Just chill.
Shouldn't Waterfox put emphasis on privacy and security, independently from whatever Mozilla does? And if the implemetation of serviceworkers is not finalized yet (that seems to be the case from what I read) shouldn't they stay deactivated until development is finished - and until there's really a need for them? |
@ilu33 @Toromino @MrAlex94 @grahamperrin Something like this could prove effective (Notifications section): http://soft.mydiv.org/images/en/win/screens/82214.jpg Apparently, Cyberfox has already thought about this. I would add one further setting making the disabling of notifications permanent, in addition to the normal (temporary, until restart) setting. Maybe this could be ported over, would enhance the UI and put the user in control. Just a thought. If somebody could locate the patch that created this, it would be great. related discussion: https://8pecxstudios.com/Forums/viewtopic.php?t=1875 |
@Peacock365 @MrAlex94 I used https://gauntface.github.io/simple-push-demo/ as a test case and it needed both dom.serviceWorkers.enabled and dom.push.enabled set to true to work. The serviceworker was installed prior to asking for consent and was not removed after I denied consent. Serviceworkers and push notifications are fine if users explicitly aggreed to them. But the consent has to not only happen when the service worker is starting to send push notifications, it has to happen when the service worker is installed. Youtube.com silently installs serviceworkers without pushing notices so I'm suspecting malign intentions. And if you compare different serviceworker scripts to the simple-push-demo you can see that they do a lot of different stuff that's not connected to pushing anything. Theguardian.com uses a SW that blocks requests to certain websites (no idea why) and that from youtube obviously does a lot more (and totally different) from sending a push notification. Sadly I don't know JS so I can only guess ... "Using service worker you can hijack connections, fabricate, and filter responses. Powerful stuff." (https://developers.google.com/web/fundamentals/primers/service-workers/) - everything you would want, right? So it seems that serviceworkers can do a lot of things besides just push notifications and short of setting dom.serviceWorkers.enabled to false there seems to be not much a user can do. A per-site switch (which FF doesn't provide) in settings would be nice but whatever Toady wanted to do there it doesn't work for me. Anyway, since future Waterfox releases are planned to be based on ESR (which has serviceworkers off) I don't understand why there's even a discussion about this? |
Just about this subject. PS : I forgot because it was a long time ago... But it wasn't only one Cyberfox trouble.
|
This is a complex topic with no easy solution. It is a web standard, and a browser should ideally be compliant. But not all standards may be ideal or favourable. So I’m thinking maybe the following scenario:
I’ll look into having them off by default, but I don’t want Waterfox to not follow standards. |
Thanks,
That's reasonable. Given the stray from the web standard, the browser could present a notification about the effect; plus there should be a persistent hint somewhere in Elsewhere recently I found that a service worker remained active after disabling service workers. This state, whilst normal, might concern some users. |
@MrAlex94 I understand your dilemma. The problem is that every new web standard opens up a lot of new attack vectors (security- and privacy-wise) while most of the average users never uses those features anyway. The best way to get a safe and stable browser is to NOT have all those features. I'm solving this for myself by using 3 browsers with up to 9 profiles separating different tasks into different browsers (profiles) but this requires a discipline the average user will not have. Since most people do online banking using the same browser they visit porn sites with, I think that safety and privacy is the top priority. Everything else can be enabled when needed. Anyway, since options provided by mozilla are lacking (no per-site switch) I think both settings disabled by default and with a toggle option under content would be good. A "show serviceworkers" button opening the about: page would be best.
My test with that simple-push-demo showed the opposite, the demo stopped working. But that might depend upon the sw.js used, the demo is very simple. |
IIRC, there is a page for service workers, check |
@criztovyl yes, about:serviceworkersIf about:config?filter=dom.serviceWorkers.enabled shows
If about:config?filter=dom.serviceWorkers.enabled shows
– however as noted above, a detector elsewhere may continue to show that a worker is active, even after the (worker's) page is reloaded. Food for thoughtBetter way to work with service workers - Developer Tools - Mozilla Discourse begins by presenting a Google Chrome developer view of service worker status for an application. |
@grahamperrin Thank you for pointing me at Service Worker Detector [https://addons.mozilla.org/en-US/firefox/addon/service-worker-detector/] |
|
Paper: "Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation" [PDF] |
Did you try the extension?
Thanks. Discussions: |
While I am glad to see service workers now being disabled by default - from a privacy perspective - this also causes issues with push services (as expected). Those push services rely on service workers, after all. Issue #893 I'd like to renew my suggestion: Create a checkbox named "Enable push notifications" or similar, which controls dom.serviceWorkers.enabled. I wouldn't name it "Enable Service workers", as most people have no idea what a service worker is in the first place. I am trying to say that there should be an easily accessible setting controlling service workers for the sake of working push notifications, with that option being opt-in. |
Why don't we just have a prompt that shows up (when |
There's Block Service Workers, which:
Note: the extension does not block activation of registered workers. A notification on KDE Plasma (close-ups from the screenshot above), whilst loading WhatsApp Web: – and on Lubuntu: |
ServiceWorkers are now off by default on v56, but will remain enabled for v68. I may look into a permission prompt though, as that would be more appropriate. |
This explains why sufficiently:
https://www.reddit.com/r/firefox/comments/7dq2h7/is_there_any_reason_not_to_disable_service_workers/
https://www.ghacks.net/2018/05/08/firefox-60-and-firefox-60-esr-differences/
So dom.serviceWorkers.enabled should be set to false.
Push notifications rely on service workers and are disabled in the new Firefox ESR as well, you could also configure Waterfox that way.
dom.push.enabled should consequently also be set to false.
The text was updated successfully, but these errors were encountered: