✨ Feature Suggestion | dom.serviceWorkers.enabled should be set to false #860
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#860
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description:
There was a time where as soon as you closed a tab, the website you were on couldn't run code in your browser anymore. Thanks to service workers, you can now have code being executed without you ever knowing about it, as they are not visible to the browser extensions, and usually do not ask for your permission (the notification message you sometimes get on websites).
They are a privacy and security threat, and should be mentioned in the website.
Here's a couple of links with more description about the issue:
https://sakurity.com/blog/2016/12/10/serviceworker_botnet.html
https://blog.acolyer.org/2019/04/12/master-of-web-puppets-abusing-web-browsers-for-persistent-and-stealthy-computation/
While I do see the reason behind this request, and agree with some portions of it, there are incredibly important and legitimate use cases for web workers especially in the field of privacy and security.
In short, all web-crypto libraries use or rely on service workers in one form or another to handle processing-heavy operations in the service-worker thread, rather than the main UI thread, so that your browser & UI won't be blocked/frozen while things are being encrypted / decrypted / hashed.
So for example:
OpenPGPjs uses service workers.
https://github.com/openpgpjs/openpgpjs/blob/master/dist/openpgp.worker.js
https://github.com/openpgpjs/openpgpjs#set-up
libsodium.js can use web workers:
https://github.com/jedisct1/libsodium.js/issues/8
TweetNaCl-js can use web workers:
https://github.com/dchest/tweetnacl-js/issues/65
The list goes on.
Blocking service workers would/could slow down (or completely break) privacy providing web services, like :
Protonmail
ba1964ee71/src/app/setupPmcrypto.js (L15)
Tutanota
2ae78fc01d/src/api/worker
Cryptee
fe0ffb242b/source/js/main.js (L642)
and many others that rely on similar cryptographic libraries. (these are merely 3 examples off the top of my head)
In my opinion, it's incredibly important to consider all angles while making a decision like this, so that a privacytoolsIO browser-feature-recommendation wouldn't break / slow down most of the privacy services recommended on privacytoolsIO.
Ive done some testing at it seems to break protonmail. I do not think we can recommend tweaks that will also break one of our recommendations. I am closing the issue, anyone is free to comment with new arguments to open it up again,