browsers serviceworkers on/off with/without

Forum Forums General Software browsers serviceworkers on/off with/without

This topic contains 8 replies, has 2 voices, and was last updated by skidoo Mar 13-2:02 pm.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #19340
    Member
    fungalnet
    fungalnet

    I may be late to the party but I didn’t know till a couple of days ago, and this due to coincidence.
    Mozilla based browsers, chrome/chromium have these enabled, have those “things” named serviceworkers.
    I haven’t found much official documentation about them, why they were created and how they operate.
    They seem to be “services” that run in the background from sites that generate them and use them, they may still be running after you leave/close/logoff a webpage, they intercept network traffic, and they communicate.

    about:serviceworkers shows you how many are active, if any, and allow you to terminate/eliminate them, till you go back to that site of course. about:config –> search for serviceworkers and you can find the option “enable serviceworkers” true/false

    I didn’t find this mentioned in many linux forums and sites and I wonder what people here think about them, are there concerns, are they harmless, …?

    #19343
    Member
    Avatar
    skidoo

    Regardless what desirable functionality they might potentially provide, I set them disabled.
    For the sites I visit (YMMV), doing so across several years has caused ZERO noticable (to me) breakage.
    BTW: the results of a websearch “serviceworker CVE” will be enlightening

    Below is a peek at some of my tweaked browser prefs.
    Your newer versioned browser may (probably does) have additional related prefs.

    dom.serviceWorkers.enabled false
    dom.webnotifications.serviceworker.enabled false (moot if serviceWorkers are diabled, but oh well)
    dom.webnotifications.enabled false

    dom.serviceWorkers.openWindow.enabled false (moot if serviceWorkers are diabled, but oh well)
    dom.serviceWorkers.testUpdateOverOneDay false
    dom.serviceWorkers.idle_timeout 1 (unit is milliseconds)
    dom.serviceWorkers.idle_extended_timeout 1 (unit is milliseconds)

    dom.push.enabled false
    dom.push.connection.enabled false
    dom.push.serverURL <specify an empty/blank string>
    dom.push.userAgentID <specify an empty/blank string>
    dom.push.udp.wakeupEnabled false
    (who the Hell rationalized the enabling unsolicited browser comms via UDP would be a GoodIdea?!?)

    =================

    “workers” aka “dom workers” aka “web workers” are a different creature, separate from serviceworkers.
    Less worrisome than serviceworkers (but rife for use by embedded coin miner scripts) I disable them also.
    dom.workers.enabled false

    #19353
    Member
    fungalnet
    fungalnet

    After a little hunting I discovered that firefox-esr (I suspect main firefox), palemoon, have them turned off by default, so does TB.
    Waterfox has them by default on.
    What I read briefly about CVEs issued seemed to be a vulnerability where a hacker can use them for violating security. I am still trying to understand what they do and who and why devised them. Also if they are javascript installed would blocking scripts with NoScript affect them? I suspect initially scripts have to be allowed to run to install one, once installed NoScript will not do anything to stop them, they run in the background as soon as the browser is on.

    How many of my assumptions are incorrect I don’t really know, don’t let me mislead anything and add to the confusion. It is the lack of documentation about them that puzzles me most.

    #19354
    Member
    Avatar
    skidoo

    who devised them, and why:
    proposed + adopted as a w3C spec. The proponents are developers who want to shoehorn “web app” -like functionality into browser. (If we can’t convince users to “install our app”, hopefully we can coerce them into allowing our everpresent component right within their web browser.) In a nutshell, sez me, it’s allabout lustfully attempting to establish and to maintain a stateful client-side presence.

    Prior to installation of each serviceworker, reputedly a doorhanger prompt will be (must be) displayed. The prompt won’t explicitly state “blablah serviceworker blah”. Instead, the prompt will bear enticing non-technical text ala “happysite wants to send notification of coupons and free stuff. Allow|Deny”

    Once installed, instead of being autostarted with the O/S (as an “installed app” might be), a serviceworker is autostarted during each launch of the web browser. It has inherent permission to maintain a persistent local datastore (using IndexedDB) ~~ typically, the storage is utilized to at least maintain a UUID (aka permacookie) and cached local copies of some site-related files.

    Here is a mozilla-created site which presents exemplars for various usages: https://serviceworke.rs/
    for technical docs, a suitable search query is: “mozilla serviceworker MDN”
    https://developer.mozilla.org/en/docs/Web/API/Service_Worker_API
    https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers

    NoScript i haven’t checked recently. Among its various settings, it may provide one-click ability to toggle/disable all the serviceworker related prefs (vs wading through about:config). As you mentioned, serviceworkers operate outside the context of a specific page, or specific browser tab ~~ beyond the jurisdiction of NoScript.

    #19357
    Member
    fungalnet
    fungalnet

    ‘ “happysite wants to send notification of coupons and free stuff. Allow|Deny” ‘

    Correct me if I am wrong, you go to a sales site, you voluntarily allow many sites’ scripts to run so you can shop, then a little annoying thingy square opens up letting you know an assistant/salesperson is available for chat, and you close it, or are you aware we have a special on smoked cheese, and you say I am aware and close it, the service worker is installed and running whether you clicked forward or terminated those notices, right?

    A while ago myself and some friend got all hot and bothered because palemoon was listing NoScript as “malignant” and it would cause instability (not with the browser) with some “website experience”. So dumped that shit right away because their reasoning was powerful as that of a turnip. Deleted posts, locked the discussion thread and moved on. This is when I moved to waterfox, thinking this was the last healthy mozilla fork before mozilla turned their software into windows10 blinky crap.

    Now I find that most other browsers have disabled serviceworkers by default but waterfox has them enabled. And I didn’t know. I don’t like Qt stuff much so I am not going back to Falkon/qupzilla either. It seems I may be out off a browser soon.

    #19360
    Member
    Avatar
    skidoo

    you go to a sales site, you voluntarily allow many sites’ scripts to run so you can shop, then…

    The “allow many sites` scripts” (simultaneously, with a single OK click) detail in that example isn’t possible. Only the site currently represented in the browser’s addressbar is granted permission to install a serviceworker (and ONLY if the current pageload was via https). If they are presenting offers on behalf of multiple sites, technically the script (serviceworker) is still only theirs. A further limitation: by convention, the web browser should refuse to install (or even entertain a scripted request to prompt for install) a serviceworker while “private browsing mode” is in effect.

    Forevermore, until/unless you visit about:serviceworkers and uninstall a serviceworker, it will be autoloaded and activated during the launch of each browser session. (Do, please, bear in mind that “modern browser” instances can be launched surreptitiously, via –headless commandline option. What could POSSIBLY go wrong, eh?)

    What, exactly, each serviceworker does each time the browser launches (and periodically through your browser use)… is NoneYaBiznuss. Your’re expected to just blindly, stupidly, trust that it is busiliy engaged in “enhancing your browsing experience”. You don’t have easy ability to inpect its code.

    When you consider the examples presented on the serviceworke.rs site, it should be clear that the range of functionality provided by serviceworkers could be predictably, inevitably, will be put to unwelcome/invasive use.

    #19383
    Member
    fungalnet
    fungalnet

    Not not all at once, but you may find a single site having some cheokout utility that comes from another site, googletagmanagers, some cloudfront server with pictures, graphics, etc, and by the time you get it to work it is 4-5 of them. You finish ordering, all permissions were temporary, and you block everything again. Service workers installed will keep on running even if you never visit again.
    48hrs now that I wiped them and turned them off I have not experienced any issues, actually the browser got a bit faster.

    I am just mad I didn’t know and they were enabled without real warning.

    #19389
    Member
    Avatar
    skidoo

    enabled without real warning

    FYI, agreeing to install WideVine EME (encrypted media extension)
    similarly creates — without clear warning/disclaimer — an identical “forevermore” scenario.

    The patent purpose of EME is to enable providers of DRM encumbered content to verify that a specific playback device is suitably licensed. On linux, it generates a durable fingerprint based on UUID of boot partition. On Windows, it generates a durable fingerprint based on serial number of the PC’s motherboard (which is read from hardware, fairly impossible to spoof).

    The one-time (ever) user prompt does not provide an explanation beyond “To view this content, you need to”

    Cookies (and clearing them) is now nearly moot.
    Websites can embed a 1px (aka “invisible” aka “web bug”) widevine-encrypted item, thereby causing the web browser to transmit its durable fingerprint -based “key”. Zero benefit to the user, zero knowledge on the part of the user, huge boon to BigData tracking.

    Mozilla:
    we respect your privacy.”
    “We defend your privacy”
    Firefox exists to provide an alternative to BigBaddieGoogle… to preserve your privacy
    Hobson’s Choice
    the Judas Goat pehenomenon

    let’s take a stroll…

    startpage.com
    websearch “firefox widevine install”
    click “Images”

    .
    .

    .
    .

    .

    .
    As you mentioned, most people don’t know, don’t notice…

    Specific to WideVine, many who believe they know… have been tricked. They are operating under the “belief” which was instilled by Mozilla back when they brought the camel’s nose in under the tent by promising “it’s not a bad thing, it’s a NECESSARY thing, toward supporting the modern web. You can set it to AskToActivate…

    #19391
    Member
    Avatar
    skidoo

    pity The Fool:

    well, whenever I watches muh [widevine-encumbered] goat p0rn, IB usin’ muh TOR, and “Private Browsing Mode” also too

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.