Skip to content

Commit

Permalink
dom.serviceWorkers.enabled -> false
Browse files Browse the repository at this point in the history
  • Loading branch information
@pyllyukko
pyllyukko committed Feb 23, 2017
1 parent b530c2f commit c65632f
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions user.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,11 @@ user_pref("layers.acceleration.disabled", true);
* *
******************************************************************************/

// https://developer.mozilla.org/en-US/docs/Web/API/Worker
// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
// https://wiki.mozilla.org/Firefox/Push_Notifications#Service_Workers
user_pref("dom.serviceWorkers.enabled", false);

// Make sure the User Timing API does not provide a new high resolution timestamp
// https://trac.torproject.org/projects/tor/ticket/16336
user_pref("dom.enable_user_timing", false);
Expand Down

6 comments on commit c65632f

@pyllyukko
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#208

@nodiscc
Copy link
Contributor

@nodiscc nodiscc commented on c65632f Feb 23, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js it reads

// 2300's: workers/service.workers/push notifications etc may affect twitter, street view and other sites
[...]
// http://www.ghacks.net/2016/03/02/manage-service-workers-in-firefox-and-chrome/
// WARNING: WILL break sites as this gains traction: eg mega.nz requires workers

there is also the pref user_pref("dom.workers.enabled", false);

What is the benefit of disabling ServiceWorkers? (push notifications are already disabled)

Edit: there is also // user_pref("dom.workers.sharedWorkers.enabled", false); which is commented out in the ghacks user.js - though the warning is scary:

// 2417: (44+) disable SharedWorkers, which allow the exchange of data between iFrames that
   // are open in different tabs, even if the sites do not belong to the same domain.
   // https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (no. 8)
   // https://bugs.torproject.org/15562
// is used in FF 45and 46 code once, to set it for a test

Should we set user_pref("dom.workers.sharedWorkers.enabled", false) ?

@pyllyukko
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When testing with about:serviceworkers (and for instance https://web.whatsapp.com/) this setting seemed to do the trick. It is not just the push notifications, this can be used for other things also.

@nodiscc
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But does disabling it provide additional security?

@pyllyukko
Copy link
Owner Author

@pyllyukko pyllyukko commented on c65632f Feb 25, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this goes to the "better safe than sorry" bin of things. These service workers actually sound quite scary (as it's code running in the background and apparently not tied into any tab/open website) and in "normal browsers" they seem to stick around across sessions etc.

But honestly I don't know what's the true potential/implication of this technology.

@nodiscc
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I'll document past known problems with ServiceWorkers: see #217

Please sign in to comment.