discussion: redo 2300s web workers

[Thorin-Oakenpants]

Before we revamp the 2300 section, which I will rename as Web Workers, I think it's important we understand what they are. This issue is for discussing that, and any ramifications: security/privacy.

NOTE: also see #60 which mentions the FBI exploit, CVEs (might be fixed but there will be more), latest Pwn2Own exploit, add-on breakage (find another add-on or talk to the developer).

Web Workers: https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API

• Worker: https://developer.mozilla.org/en-US/docs/Web/API/Worker
• ServiceWorker: https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
• SharedWorker : https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker
• ChromeWorker: https://developer.mozilla.org/en-US/docs/Web/API/ChromeWorker
• Push API: https://developer.mozilla.org/en/docs/Web/API/Push_API
• Notification API: https://developer.mozilla.org/en-US/docs/Web/API/Notifications_API

Worker

• A worker is an object that runs a named JavaScript file
• A worker runs in a global context that is different from the current window
• A worker is a background task that can be easily created and can send messages back to its creator
• Workers may in turn spawn new workers as long as those workers are hosted within the same origin as the parent page

Service Worker

• Service workers only run over HTTPS
• Service workers essentially act as proxy servers that sit between web applications, and the browser and network
• A service worker is an event-driven worker
• A service worker takes the form of a JavaScript file that can control the web page/site it is associated with, intercepting and modifying navigation and resource requests, and caching resources
• A service worker is run in a worker context: it therefore has no DOM access
• Service Worker APIs are hidden (in Firefox) and cannot be used when the user is in private browsing mode.

Shared Worker

• Shared workers are workers that can be utilized by multiple scripts running in different windows, tabs, iFrames, etc., as long as they are in the same domain as the worker.

Chrome Worker

• Chrome Workers are a Firefox-only type of worker that you can use if you want to use workers in extensions

functions/apis of interest available to web workers:

• Broadcast Channel API: same origin communication between browsing contexts (windows/tabs/iframes)
• Cache API: can control cache storage
• Channel Messaging API: direct communication via SharedWorker between browsing contexts (windows/tabs/iframes)
• Worker: workers can spawn new workers

Security concerns

• [bad] no restriction with local access: running workers from file:// - this needs to be checked. Chrome blocks this by default, other browsers do/did not.
• [good] Worker scripts must be external files with the same scheme as their calling page
  i.e: you cannot load a script from a data: URL or javascript: URL
  : an https: page cannot start worker scripts that begin with http: URLs
• [mention] loads of CVEs! more to come? exploit at very recent pawn2own?

Privacy concerns

• can communicate over same origin between contexts - ie. across different windows, tabs, iframes
• Push API and Notification API (note: As of Firefox 44, the permissions for Notifications and Push have been merged) - messages delivered whether or not the web app is in the foreground, or even currently loaded
• granular control over cache

[ghost]

Many thanks. This Web Workers area is, to me anyway, a rather unknown one. Clarified.

[ghost]

Definitely, as I see it at this time -- and I see far less than you -- the only workers related setting I hesitate to block is the famous dom.workers.enabled (I think we've mentioned it here substantially!) and, as far as I'm concerned only because of issues on Google Street View and the add-on I had mentioned, Country Flags & IP Whois, in other words because I was bothered to put it plainly, mainly with the add-on.

I've been thinking of it, recalling what's been written of what may be done -- has been done, abused -- with dom.workers.enabled that I've decided to remove the add-on and replace it with another one, IP Address and Domain Information, which runs with dom.workers.enabled set to false, and set to false it will be and remain, switched to true on a per-site basis (i.e.Google Street View). Per-site is not a problem but an add-on requiring a Firefox setting definitely is.

Off-topic, this is the Frenchman speaking : I guess you meant carte blanche rather than carte blance (I ignored the expression was used in English, by the way).

Off we go :)

[earthlng]

Thanks for providing all those infos and links! But idk what there's to discuss - re: privacy/security it looks pretty bad IMO.

This whole thing is a slight mystery to me as well

total mystery to me

starting to become popular

yep, unfortunately

Idk what else to say, you summarized it pretty damn well and I agree with everything you wrote.

ps. hi Tom - wasn't sure it's really you but I suspected it ;) nice to see you around here

[ghost]

This is all good, for all the browser and coding and design and performance issues that can be gained, not to mention the awesome things web apps and sites could do with it. But like anything, it can also be abused.

Like cookies, caches, history etc ... built for the best and occasionally abused. I guess sometimes it is possible to be a smart guy by using the best with a work-around to avoid being abused. But not always, and then a choice is required.

STOP or I'd carry on with my philosophical fixations as Pants describes it :)

Always nice to read you, earthlng. To be honest I had in mind the hypothesis that you and Pants may have recognized Tom (My name is not Tom in fact!) ever since my first posts here with you on Github but were shy to say so, fearing perhaps that I'd take it as inquisition, so i decided to mention the Frenchman to let you both express your assumptions :) It was a hypothesis, only!

I could be joking, now that I think about it!

Nice to be with you both and with those in your staff. I don't bring much more than a spokesman, I appreciate you guys' work and say my word if I believe once the psycho/philosophical matter put aside (it's a package!) remains information.

See: off-topic again. This is the end (don(t worry I'll be back, lol!)

[Atavic]

A service worker is a specific type of web worker.

https://w3c.github.io/ServiceWorker/#service-worker-concept

Workers are bound to a domain?

Request objects via Cross-Origin Resource Sharing (CORS) mode allow resources to be loaded from a domain that's not the origin domain, as mozilla/pdf.js#1000 (comment)

Privacy concerns

https://w3c.github.io/ServiceWorker/#privacy

[Atavic]

EDIT: This is for Chromium.

For those using uBlock Origin: Web Workers are handled by uBo Extra by Gorhill.

gorhill/uBlock#1936

[ghost]

uBO-Extra ...

The extension is useful only for Chromium-based browsers. There is no need for such an extension so far on Firefox, and thus there is no version for Firefox.

[Atavic]

Yes, you are right. The modifications wiil be available for uBlock with a new worker type.
Chrome Browser has more webworkers connections to google by default. gorhill/uBlock#2483

[earthlng]

draft patch

tbh idk if anything you wrote is correct but it sure looks nice 👍

[Atavic]

workers being able to request objects via CORS

Yes, see here and here.

these requests be controlled if web workers are allowed
(eg since it's outside the window content, how the hell do we stop it)

A CSP HTTP header uses GET and POST requests, you can rewrite them with a local proxy as Privoxy. You can monitor the requests inside the browser with some addons like this.

Also related: #102 (comment) (particularly, the pdf on bottom)

[Atavic]

pyllyukko/user.js#128