This topic contains 8 replies, has 2 voices, and was last updated by skidoo Mar 13-2:02 pm.
March 11, 2019 at 4:56 pm #19340Member
I may be late to the party but I didn’t know till a couple of days ago, and this due to coincidence.
Mozilla based browsers, chrome/chromium have these enabled, have those “things” named serviceworkers.
I haven’t found much official documentation about them, why they were created and how they operate.
They seem to be “services” that run in the background from sites that generate them and use them, they may still be running after you leave/close/logoff a webpage, they intercept network traffic, and they communicate.
about:serviceworkers shows you how many are active, if any, and allow you to terminate/eliminate them, till you go back to that site of course. about:config –> search for serviceworkers and you can find the option “enable serviceworkers”
I didn’t find this mentioned in many linux forums and sites and I wonder what people here think about them, are there concerns, are they harmless, …?March 11, 2019 at 7:13 pm #19343Member
Regardless what desirable functionality they might potentially provide, I set them disabled.
For the sites I visit (YMMV), doing so across several years has caused ZERO noticable (to me) breakage.
BTW: the results of a websearch “serviceworker CVE” will be enlightening
Below is a peek at some of my tweaked browser prefs.
Your newer versioned browser may (probably does) have additional related prefs.
dom.webnotifications.serviceworker.enabled false (moot if serviceWorkers are diabled, but oh well)
dom.serviceWorkers.openWindow.enabled false (moot if serviceWorkers are diabled, but oh well)
dom.serviceWorkers.idle_timeout 1 (unit is milliseconds)
dom.serviceWorkers.idle_extended_timeout 1 (unit is milliseconds)
dom.push.serverURL <specify an empty/blank string>
dom.push.userAgentID <specify an empty/blank string>
(who the Hell rationalized the enabling unsolicited browser comms via UDP would be a GoodIdea?!?)
“workers” aka “dom workers” aka “web workers” are a different creature, separate from serviceworkers.
Less worrisome than serviceworkers (but rife for use by embedded coin miner scripts) I disable them also.
dom.workers.enabled falseMarch 12, 2019 at 7:36 am #19353Member
After a little hunting I discovered that firefox-esr (I suspect main firefox), palemoon, have them turned off by default, so does TB.
Waterfox has them by default on.
How many of my assumptions are incorrect I don’t really know, don’t let me mislead anything and add to the confusion. It is the lack of documentation about them that puzzles me most.March 12, 2019 at 10:44 am #19354Member
who devised them, and why:
proposed + adopted as a w3C spec. The proponents are developers who want to shoehorn “web app” -like functionality into browser. (If we can’t convince users to “install our app”, hopefully we can coerce them into allowing our everpresent component right within their web browser.) In a nutshell, sez me, it’s allabout lustfully attempting to establish and to maintain a stateful client-side presence.
Prior to installation of each serviceworker, reputedly a doorhanger prompt will be (must be) displayed. The prompt won’t explicitly state “blablah serviceworker blah”. Instead, the prompt will bear enticing non-technical text ala “happysite wants to send notification of coupons and free stuff. Allow|Deny”
Once installed, instead of being autostarted with the O/S (as an “installed app” might be), a serviceworker is autostarted during each launch of the web browser. It has inherent permission to maintain a persistent local datastore (using IndexedDB) ~~ typically, the storage is utilized to at least maintain a UUID (aka permacookie) and cached local copies of some site-related files.
Here is a mozilla-created site which presents exemplars for various usages: https://serviceworke.rs/
for technical docs, a suitable search query is: “mozilla serviceworker MDN”
NoScript i haven’t checked recently. Among its various settings, it may provide one-click ability to toggle/disable all the serviceworker related prefs (vs wading through about:config). As you mentioned, serviceworkers operate outside the context of a specific page, or specific browser tab ~~ beyond the jurisdiction of NoScript.March 12, 2019 at 3:28 pm #19357Member
‘ “happysite wants to send notification of coupons and free stuff. Allow|Deny” ‘
Correct me if I am wrong, you go to a sales site, you voluntarily allow many sites’ scripts to run so you can shop, then a little annoying thingy square opens up letting you know an assistant/salesperson is available for chat, and you close it, or are you aware we have a special on smoked cheese, and you say I am aware and close it, the service worker is installed and running whether you clicked forward or terminated those notices, right?
A while ago myself and some friend got all hot and bothered because palemoon was listing NoScript as “malignant” and it would cause instability (not with the browser) with some “website experience”. So dumped that shit right away because their reasoning was powerful as that of a turnip. Deleted posts, locked the discussion thread and moved on. This is when I moved to waterfox, thinking this was the last healthy mozilla fork before mozilla turned their software into windows10 blinky crap.
Now I find that most other browsers have disabled serviceworkers by default but waterfox has them enabled. And I didn’t know. I don’t like Qt stuff much so I am not going back to Falkon/qupzilla either. It seems I may be out off a browser soon.March 12, 2019 at 7:07 pm #19360Member
you go to a sales site, you voluntarily allow many sites’ scripts to run so you can shop, then…
The “allow many sites` scripts” (simultaneously, with a single OK click) detail in that example isn’t possible. Only the site currently represented in the browser’s addressbar is granted permission to install a serviceworker (and ONLY if the current pageload was via https). If they are presenting offers on behalf of multiple sites, technically the script (serviceworker) is still only theirs. A further limitation: by convention, the web browser should refuse to install (or even entertain a scripted request to prompt for install) a serviceworker while “private browsing mode” is in effect.
Forevermore, until/unless you visit about:serviceworkers and uninstall a serviceworker, it will be autoloaded and activated during the launch of each browser session. (Do, please, bear in mind that “modern browser” instances can be launched surreptitiously, via –headless commandline option. What could POSSIBLY go wrong, eh?)
What, exactly, each serviceworker does each time the browser launches (and periodically through your browser use)… is NoneYaBiznuss. Your’re expected to just blindly, stupidly, trust that it is busiliy engaged in “enhancing your browsing experience”. You don’t have easy ability to inpect its code.
When you consider the examples presented on the serviceworke.rs site, it should be clear that the range of functionality provided by serviceworkers
could bepredictably, inevitably, will be put to unwelcome/invasive use.March 13, 2019 at 6:57 am #19383Member
Not not all at once, but you may find a single site having some cheokout utility that comes from another site, googletagmanagers, some cloudfront server with pictures, graphics, etc, and by the time you get it to work it is 4-5 of them. You finish ordering, all permissions were temporary, and you block everything again. Service workers installed will keep on running even if you never visit again.
48hrs now that I wiped them and turned them off I have not experienced any issues, actually the browser got a bit faster.
I am just mad I didn’t know and they were enabled without real warning.March 13, 2019 at 12:12 pm #19389Member
enabled without real warning
FYI, agreeing to install WideVine EME (encrypted media extension)
similarly creates — without clear warning/disclaimer — an identical “forevermore” scenario.
The patent purpose of EME is to enable providers of DRM encumbered content to verify that a specific playback device is suitably licensed. On linux, it generates a durable fingerprint based on UUID of boot partition. On Windows, it generates a durable fingerprint based on serial number of the PC’s motherboard (which is read from hardware, fairly impossible to spoof).
The one-time (ever) user prompt does not provide an explanation beyond “To view this content, you need to”
Cookies (and clearing them) is now nearly moot.
Websites can embed a 1px (aka “invisible” aka “web bug”) widevine-encrypted item, thereby causing the web browser to transmit its durable fingerprint -based “key”. Zero benefit to the user, zero knowledge on the part of the user, huge boon to BigData tracking.
let’s take a stroll…
websearch “firefox widevine install”
As you mentioned, most people don’t know, don’t notice…
Specific to WideVine, many who believe they know… have been tricked. They are operating under the “belief” which was instilled by Mozilla back when they brought the camel’s nose in under the tent by promising “it’s not a bad thing, it’s a NECESSARY thing, toward supporting the modern web. You can set it to AskToActivate…“March 13, 2019 at 2:02 pm #19391Member
pity The Fool:
well, whenever I watches muh [widevine-encumbered] goat p0rn, IB usin’ muh TOR, and “Private Browsing Mode” also too
You must be logged in to reply to this topic.