#15563: ServiceWorkers violate first party isolation, probably -------------------------------------------------+------------------------- Reporter: arthuredelstein | Owner: tbb- | team Type: defect | Status: | needs_information Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-linkability, ff68-esr, tbb-9.0 | Actual Points: -must-alpha | Parent ID: | Points: 1 Reviewer: | Sponsor: | Sponsor44-can -------------------------------------------------+-------------------------
Comment (by sysrqb): Replying to [comment:18 acat]: > AFAIK, service workers APIs should not be usable in private browsing mode, `navigator.serviceWorker` is not present in that case. So in mobile they have flipped the serviceworker pref but as long as we only have private windows it should not be usable. Should we still investigate this for `browser.privatebrowsing.autostart = false`? We should disable `dom.serviceWorkers.enabled` on mobile. We don't support `browser.privatebrowsing.autostart = false`, but we know some people use Tor Browser like that, regardless of the consequences. In the longer term, we should make sure ServiceWorkers do not violate FPI when used in non- private browsing mode, but I don't think verifying this now is worth the effort. I'll open a ticket for disabling it on Android (for the people who use non-private browsing mode). I support closing this ticket as done, and opening another ticket specifically for non-private browsing mode, so we don't forget about this in the future. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15563#comment:19> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs