Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get rid of service workers. #545

Closed
Peacock365 opened this issue May 8, 2018 · 37 comments
Closed

Get rid of service workers. #545

Peacock365 opened this issue May 8, 2018 · 37 comments

Comments

@Peacock365
Copy link

Peacock365 commented May 8, 2018

This explains why sufficiently:

https://www.reddit.com/r/firefox/comments/7dq2h7/is_there_any_reason_not_to_disable_service_workers/

  • What's more, Mozilla doesn't even enable them in their new Firefox 60 ESR as they are still undergoing development:

https://www.ghacks.net/2018/05/08/firefox-60-and-firefox-60-esr-differences/

  • Pale Moon does not have them enabled either for privacy reasons.

So dom.serviceWorkers.enabled should be set to false.

Push notifications rely on service workers and are disabled in the new Firefox ESR as well, you could also configure Waterfox that way.

dom.push.enabled should consequently also be set to false.

@WagnerGMD
Copy link

WagnerGMD commented May 11, 2018

List of examples :

What about those websites ? Because if you disable them :

pref("dom.serviceWorkers.enabled",false);
pref("dom.workers.enabled",false);

The result is very simple (clear), the(se) website(s) won't work.

PS : Yes it's just a warning.
The last one or the both ? You should try by yourself. Because I had forgot (sorry I had discover this bug a very very long time ago).
By the past (the previous version of the(se) website(s)), no it wasn't a trouble (and it didn't require cookies and from my point of view, that's just bad (I refer to the current version)).

@Peacock365
Copy link
Author

Peacock365 commented May 11, 2018

@WagnerGMD

Sorry, can't confirm. I must say that I have tested the websites with Firefox 60 ESR on the go, which has service workers disabled by default, and they both work. It's more likely that they break for you due to other factors.

Would be nice if you could double-check with a clean (without any add-ons or config changes) profile of Firefox 60 ESR which will have service workers disabled by default.

Needless to say, I think it's safe to disable those settings when even Mozilla does it in their FF 60 ESR builds. This tells us two things:

  1. Service workers are either not very prevalent or aren't required for most websites to work.
  2. They probably have the done research regarding this and have decided that it's safe to disable them.

And again, Pale Moon has disabled them as well and appears to be fully functional, as is Firefox 60 ESR.

@WagnerGMD
Copy link

I understand @Peacock365 but right now, I just can't. Because at this moment, I'm still using Waterfox and I'm busy (IRL etc).

PS : To resume, I had never use PaleMoon but perhaps (soon or later) I will give also a chance to Firefox-v60-ESR. Because I need at least 2 addons (Refresh Blocker, Cookie Keeper, etc) and that's why I might one day give another chance to Cyberfox.

@ilu33
Copy link

ilu33 commented May 14, 2018

Thank you for the haeds-up, I did not know about that stuff. And some were actually installed on my waterfox, from youtube and from a newspaper. I don't care whether there is a website that needs them - as long as I'm not comfortable with what they do (which as you say we don't really know) and as long as they don't ask for permission - I want them gone.

https://www.ghacks.net/2016/03/02/manage-service-workers-in-firefox-and-chrome/ wrote:

Service Workers are an up and coming feature supported by most modern browsers that enable sites and services to interact with the browser without having to be open in it.

This is something I will never want.

And virustotal.com works with or without serviceworkers. It did not store any. It does not work in my heavily configured Firefox ESR though - some other setting must be blocking it (probably disabling all workers does).

@Squall-Leonhart
Copy link

they require dom workers.

@Peacock365
Copy link
Author

Peacock365 commented May 16, 2018

@ilu33

Service workers are a very bad thing. They are able to intercept your networking traffic(!) and sit permanently in the background. They won't get deleted when you delete cookies. They are even more advanced than cookies, yet only a few people out there know about them apparently.

The only good reason to have them installed is when a site uses push notifications, but then again I wouldn't allow push notifications in exchange for a permanent entity that sits in the background and intercepts my traffic. Most sites don't even use them for push notifications though, to them they are advanced cookies.

Fortunately, they are not required for sites to work (i.e. to display correctly) in the vast majority of cases. As I said, Mozilla and the Pale Moon team both consider it safe to disable them. No idea why they are enabled in Waterfox, I assume @MrAlex94 hasn't had time to disable them yet.

@MrAlex94
Copy link
Collaborator

MrAlex94 commented May 16, 2018 via email

@Peacock365
Copy link
Author

Peacock365 commented May 16, 2018

@MrAlex94

But then again, they are a bad thing. They do intercept network traffic, are sitting in the background, and install themselves silently.
Actually, I have yet to find a site that breaks due to service workers being disabled.
Mozilla has them disabled, I doubt they would disable them if they were essential (even if there might be technical reasons to disable them, if they were high priority for websites, they would be there).

So... With all due respect, I think they need to go ASAP.

PS:

You may want to check https://forum.palemoon.org/viewtopic.php?f=5&t=10606 started on new year's day.
Push notifications will have you permanently tethered to whatever push server(s) in use whenever your browser is open. This tether not only allows them to push notifications at any time THEY think it's convenient with whatever content, they can also use it to indirectly monitor you and get data from your browser.
Moonchild

So, in short: even if you don't have the site in question open, the site operators (through the permanent tether to a push service provider, to begin with, that can also monitor you as long as the browser is open) can get information from your browser and send you notifications.
I really don't think I would ever want such a thing.
Moonchild

If you opt in to it on a site, you will create a tether connection to a push server, and be given a unique identifier to push to.
The originating site as well as the push server will be able to track you through this, including geolocation via IP. It's indirect, but always-on whenever your browser is open. The only way to stop this is to unsubscribe.
Moonchild

He has a point, hasn't he?

@Squall-Leonhart
Copy link

Stop misrepresenting a news article you read and didn't comprehend.

as Alex has said, they are enabled on all non-esr builds of firefox including 60.

@Squall-Leonhart
Copy link

image

@Peacock365
Copy link
Author

Peacock365 commented May 16, 2018

@Squall-Leonhart

Ahem, read the first post again. There I stated that I meant the ESR release. It's been up there since 8 days. That's not even altering my point though. I doubt Mozilla would release any browser version, be it Release, ESR, Beta, Nightly... you name it, with an essential feature not being present. Mozilla makes sure that ESR users are not experiencing broken websites, and as you can see, they did not find that service workers were strictly required at all. Same goes for Pale Moon by the way.

What is their purpose after all? Push and traffic interception, that's about it. Makes me think you love services silently installing themselves without your permission. Good for you. Before you go full ballistic on me, talk with Moonchild about those service workers, he will explain to you how they are unnecessary junk better than I ever could.

@ilu33
Copy link

ilu33 commented May 18, 2018

This is one of the many no-go things mozilla has done in the last years, which have completely destroyed my trust:

  • silently
  • without consent
  • listening in

If you could set that option to : "ask the user" that would be ok, but as things are it has to be disabled.
It would be nice if waterfox would do that because that would save me one more thing I have to remember on every fresh install I do for friends and family.

@Peacock365
Copy link
Author

@ilu33

I feel like this issue is a lost cause. Nobody needs service workers, ever, no site breaks because of service workers missing, ever. And yet we have to keep them for no reason. Makes no sense.

@Peacock365
Copy link
Author

Peacock365 commented May 20, 2018

@grahamperrin

relatively easy to retain the functionality – and resolve (or least gain awareness of) issues gradually, as use of service workers becomes more widespread

Well, even if and when they become more widespread, that doesn't mean that anybody would need to have them enabled. Service workers --> do not <-- play any part in the rendering of a website. No part, whatsoever. They are scripts being initiated by the site, and are sitting in the background. There is a valid use case for this, which is Push notifications. Some sites would want to inform you about certain topics without being open at the moment. Cookies (or more precisely: their specification) did not cut it when sites wished for that functionality to be created, so service workers were invented. Most service workers, however, act as a kind of cookie, intercepting traffic in the background. They don't get deleted with cookies, many site operators are aware of the fact that most users are unaware of service workers. YouTube is a site which initiates a service worker. YouTube also sets cookies. When you delete the cookie, you are not deleting the service worker and vice versa. Now ask yourself: Have you ever received a Push notification from YouTube? No? Well, that's because YouTube uses them as a sort of cookie+, and as a backup plan in case you delete their regular cookie or use an extension that does so. Will YouTube break because the service worker can't be set? Of course not, as they are not playing any part in the rendering process.

They are unnecessary, as useful as teeth would be for a butterfly. They do impair your privacy, however, as they tend to intercept traffic.

relatively difficult to address a sudden influx of issues arising from addition of functionality after an indeterminate period of riddance.

"Riddance" in this case means "disabled", not "deleted". If you want to enable them, by all means go ahead. I'd never do that, as I can do without yet another form of tracking.

Why would I want them enabled when the site builds up just fine with them disabled?

Apparently your thumbs down sits a bit loose today, @grahamperrin, and so does mine. Before you write anything about them you should inform yourself about the things they are needed for or aren't needed for. If you are afraid of sites breaking, then I can calm your fears: They won't.

PS: Giving a thumbs down to any and all posts I have written in this thread, despite me making a valid argument, is not helping you one bit. Not that I should care, it's disqualifying you, not me. Grow up.

@Peacock365
Copy link
Author

Peacock365 commented May 20, 2018

@grahamperrin

You are ill-informed. Period. Service workers have nothing to do with rendering, so to suggest that sites will suddenly break (while having them disabled) when they become more common is nonsensical. Sorry to say.

@Peacock365
Copy link
Author

Peacock365 commented May 20, 2018

prefer to wait.

Wait for what? There is no need to share this thread beyond the scope of this GitHub page, of which it is already part. The decision is an easy one in this case:

  1. Disable them, thereby losing some not necessarily relevant functionality on the minority of sites which make legit use of them.
  2. Keep them enabled, thereby impairing privacy due to the majority of sites using them to intercept traffic, while slightly enhancing the minority of sites through push notifications.

By the way... I have viewed the following sites with service workers disabled, zero breakage so far:
Amazon, eBay, Netflix, Google, Yahoo, Reddit, YouTube, Twitter...

Zero breakage. Nada. And some of them should have an interest in tracking users.

@Toromino
Copy link

I'd also be in favor of disabling them. It's true that there are a few advantages enabled service workers have, like push notifications. But service workers can intercept network traffic. And they can be installed and used without the user's consent. Unlike Mozilla, Waterfox should care about their user's privacy.

@Peacock365
Copy link
Author

Peacock365 commented May 20, 2018

@Toromino

I agree. Waterfox should follow Pale Moon's example and turn them off by default. If this is considered "too radical" an approach, the very least I would expect from Waterfox would be to expose Push notifications as a setting in the preferences tab, which people may use to choose whether they want to have their privacy impaired by service workers, or not. Although I'm very much in favor of disabling them altogether for the sake of privacy, and in case such an option is created, to make it opt-in instead of opt-out.

@Peacock365
Copy link
Author

Peacock365 commented May 20, 2018

I'd consider this a compromise: Create a checkbox in the preferences tab which controls dom.serviceWorkers.enabled and dom.push.enabled. Whether this is opt-in (which I would favor) or opt-out (which @MrAlex94 would probably favor) is up for debate. But in general, the creation of such a checkbox would be a good move in my book.

@ilu33
Copy link

ilu33 commented May 20, 2018

I have yet to see any argument why serviceworkers need to be active beyond those push notifications that no site uses anyway. And I would not be willing to pay for that potential gain with a privacy loss that high.

But if we want to hear arguments we should keep it civil. No need to get into attack mode. Just chill.

Service workers have been enabled since Firefox 44. It's disabled in ESR because Mozilla didn't want to backport patches for it (which I have been doing).

Shouldn't Waterfox put emphasis on privacy and security, independently from whatever Mozilla does? And if the implemetation of serviceworkers is not finalized yet (that seems to be the case from what I read) shouldn't they stay deactivated until development is finished - and until there's really a need for them?

@Peacock365
Copy link
Author

Peacock365 commented May 31, 2018

@ilu33 @Toromino @MrAlex94 @grahamperrin

Something like this could prove effective (Notifications section):

http://soft.mydiv.org/images/en/win/screens/82214.jpg

Apparently, Cyberfox has already thought about this. I would add one further setting making the disabling of notifications permanent, in addition to the normal (temporary, until restart) setting. Maybe this could be ported over, would enhance the UI and put the user in control. Just a thought. If somebody could locate the patch that created this, it would be great.

related discussion: https://8pecxstudios.com/Forums/viewtopic.php?t=1875
This discussion and the resulting could potentially indicate the location of the code: InternalError503/cyberfox@f0e41fd

@ilu33
Copy link

ilu33 commented Jun 1, 2018

@Peacock365 @MrAlex94
I checked out cyberfox 52.7.4 and the "Do not disturb" option is gone. Also the "Choose" window for notifications doesn't seem to work. dom.serviceWorkers.enabled and dom.push.enabled are set to false as is to be expected from an ESR clone.

I used https://gauntface.github.io/simple-push-demo/ as a test case and it needed both dom.serviceWorkers.enabled and dom.push.enabled set to true to work. The serviceworker was installed prior to asking for consent and was not removed after I denied consent.

Serviceworkers and push notifications are fine if users explicitly aggreed to them. But the consent has to not only happen when the service worker is starting to send push notifications, it has to happen when the service worker is installed. Youtube.com silently installs serviceworkers without pushing notices so I'm suspecting malign intentions.

And if you compare different serviceworker scripts to the simple-push-demo you can see that they do a lot of different stuff that's not connected to pushing anything. Theguardian.com uses a SW that blocks requests to certain websites (no idea why) and that from youtube obviously does a lot more (and totally different) from sending a push notification. Sadly I don't know JS so I can only guess ...

"Using service worker you can hijack connections, fabricate, and filter responses. Powerful stuff." (https://developers.google.com/web/fundamentals/primers/service-workers/) - everything you would want, right?

So it seems that serviceworkers can do a lot of things besides just push notifications and short of setting dom.serviceWorkers.enabled to false there seems to be not much a user can do. A per-site switch (which FF doesn't provide) in settings would be nice but whatever Toady wanted to do there it doesn't work for me.

Anyway, since future Waterfox releases are planned to be based on ESR (which has serviceworkers off) I don't understand why there's even a discussion about this?

@WagnerGMD
Copy link

WagnerGMD commented Jun 2, 2018

I checked out cyberfox 52.7.4 and the "Do not disturb" option is gone.

Just about this subject.
I haven't use Cyberfox since several months but it's doesn't matter.
Because (at the end), this option has never work fine (despite several attempts (over the time) and I believe this trouble was never really rectify by Mozilla).

PS : I forgot because it was a long time ago... But it wasn't only one Cyberfox trouble.
Because according to my little memories, I had try several browser (Waterfox ? Firefox ? etc) and the solution was :

lockPref("dom.push.enabled",false);
lockPref("dom.push.connection.enabled",false);
lockPref("dom.webnotifications.enabled",false);
lockPref("dom.webnotifications.serviceworker.enabled",false);

@MrAlex94
Copy link
Collaborator

MrAlex94 commented Jun 2, 2018

This is a complex topic with no easy solution.

It is a web standard, and a browser should ideally be compliant. But not all standards may be ideal or favourable.

So I’m thinking maybe the following scenario:

  • Toggle options for Service Workers
  • Disabled if finger print pref is triggered

I’ll look into having them off by default, but I don’t want Waterfox to not follow standards.

@grahamperrin
Copy link

Thanks,

  • Disabled if finger print pref is triggered

That's reasonable. Given the stray from the web standard, the browser could present a notification about the effect; plus there should be a persistent hint somewhere in about:preferences.

Elsewhere recently I found that a service worker remained active after disabling service workers. This state, whilst normal, might concern some users.

@ilu33
Copy link

ilu33 commented Jun 2, 2018

@MrAlex94 I understand your dilemma. The problem is that every new web standard opens up a lot of new attack vectors (security- and privacy-wise) while most of the average users never uses those features anyway. The best way to get a safe and stable browser is to NOT have all those features. I'm solving this for myself by using 3 browsers with up to 9 profiles separating different tasks into different browsers (profiles) but this requires a discipline the average user will not have. Since most people do online banking using the same browser they visit porn sites with, I think that safety and privacy is the top priority. Everything else can be enabled when needed.

Anyway, since options provided by mozilla are lacking (no per-site switch) I think both settings disabled by default and with a toggle option under content would be good. A "show serviceworkers" button opening the about: page would be best.

Elsewhere recently I found that a service worker remained active after disabling service workers. This state, whilst normal, might concern some users.

My test with that simple-push-demo showed the opposite, the demo stopped working. But that might depend upon the sw.js used, the demo is very simple.

@criztovyl
Copy link

IIRC, there is a page for service workers, check about:about, it's in the list there. :)

@grahamperrin
Copy link

@criztovyl yes,

about:serviceworkers

If about:config?filter=dom.serviceWorkers.enabled shows true then about:serviceworkers

  • shows whether a worker is registered
  • can not show whether a registered worker is active.

If about:config?filter=dom.serviceWorkers.enabled shows false then about:serviceworkers shows:

Service Workers are not enabled.

– however as noted above, a detector elsewhere may continue to show that a worker is active, even after the (worker's) page is reloaded.

Food for thought

Better way to work with service workers - Developer Tools - Mozilla Discourse begins by presenting a Google Chrome developer view of service worker status for an application.

@ilu33
Copy link

ilu33 commented Jan 4, 2019

@grahamperrin Thank you for pointing me at Service Worker Detector [https://addons.mozilla.org/en-US/firefox/addon/service-worker-detector/]

@grahamperrin
Copy link

image

Service workers have been blocked for this w…

Click this notification to re-enable service workers

See https://redd.it/ara5ia

@chocolateboy
Copy link

chocolateboy commented Feb 27, 2019

New browser attack lets hackers run bad code even after users leave a web page

Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected.

This new attack, called MarioNet, opens the door for assembling giant botnets from users' browsers. These botnets can be used for in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting, researchers said.

This is possible because modern web browsers now support a new API called Service Workers...

Paper: "Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation" [PDF]

@grahamperrin
Copy link

grahamperrin commented Feb 28, 2019

Did you try the extension?

New browser attack lets hackers run bad code even after users leave a web page

Thanks. Discussions:

@grahamperrin
Copy link

521afd5

@Peacock365
Copy link
Author

While I am glad to see service workers now being disabled by default - from a privacy perspective - this also causes issues with push services (as expected). Those push services rely on service workers, after all.

Issue #893

I'd like to renew my suggestion: Create a checkbox named "Enable push notifications" or similar, which controls dom.serviceWorkers.enabled. I wouldn't name it "Enable Service workers", as most people have no idea what a service worker is in the first place.

I am trying to say that there should be an easily accessible setting controlling service workers for the sake of working push notifications, with that option being opt-in.

@hook321
Copy link

hook321 commented Mar 16, 2019

Why don't we just have a prompt that shows up (when dom.serviceWorkers.enabled is set to true) that allows someone to decide whether or not they want to allow a website to install a specific service worker when a site attempts to? That way even if someone wants them enabled (for push notifications or something else) they won't have to necessarily allow all of them.

@grahamperrin
Copy link

grahamperrin commented Mar 17, 2019

There's Block Service Workers, which:

  • blocks registration by default
  • allows the block to be reversed.

Note: the extension does not block activation of registered workers.

A notification on KDE Plasma (close-ups from the screenshot above), whilst loading WhatsApp Web:

image

image

– and on Lubuntu:

image

image

@MrAlex94
Copy link
Collaborator

MrAlex94 commented Jun 6, 2019

ServiceWorkers are now off by default on v56, but will remain enabled for v68. I may look into a permission prompt though, as that would be more appropriate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants