Require Opt-In for Service-Worker Registrations
-
Please can Vivaldi require the user's assent when a site tries to register a new service worker? I think that this is a crucial for privacy, security and perf. and is at least as critical as requiring opt-in for registering desktop notifications, URL handlers and other such "global" stuff.
To illustrate the problem, navigate to the internal page that shows all global service-worker registrations: vivaldi://serviceworker-internals or chrome://serviceworker-internals. How many do you have?
I had 16 on my rather fresh browser profile on my dev. machine, including some from sites I don't recognise at all (alligator dot io, countryeconomy dot com, aftership dot com and more) and some from sites I only ever visited once and certainly don't want background content from (polymer-project dot org etc.)
I can completely see the need for service workers on the modern web but I can only think of a very small handful of sites (three. maximum.) from which I want ever-present background content. I understand that push-notifications require opt-in (just like I propose for service workers) and almost certainly represent 99% of the useful use-cases for service workers and that's a good thing... but the fact that sites can still register service-workers without any user prompting even if you deny their desktop notifications is extremely concerning.
Some of these sites never even tried to register notifications and that's why I am so surprised to see that activated service-workers exist from them.
Perhaps this is more a topic for Chromium/Chrome and less for Vivaldi. Either way, I think it MUST be changed to an opt-in pattern.
This may be a relatively minor annoyance, today, but I have no doubt that this idea will catch on with marketeers and ad-slingers and, soon, every website will be tacking its service worker on to your browser as soon as you foolishly GET a page from it.
-
This is a great idea. There are some cases where the permission could be implicit (e.g. installing a PWA... whenever they get implemented), but any other time they really should not be installed.
I can imagine ad services just on-the-fly registering workers every time someone visits a page. Looking at mine, all of the ones installed are from sites I visit, and any that don't have an active tab aren't even running (Running Status: STOPPED) - but surreptitiously added ones are less likely to behave so nicely.
-
Ok. I did some more reading about service workers: https://chromium.googlesource.com/chromium/src/+/master/docs/security/service-worker-security-faq.md
I still stand by my feature request. At the very least, Vivaldi should have an option to (A) deny all service workers (B) silently allow all service workers -- the current behaviour -- or (C) require the user to grant permission whenever a site tries to register a service worker -- what I would like. Option B can even remain the default as far as I am concerned, complying with the Chrome Team's view that users do not have sufficient knowledge to judge whether service workers should be allowed from a site or not.
I see that the Chrome team think that service workers do not present a threat but, personally, they make me very uneasy. Firstly, I like sites to be truly ephemeral unless I choose otherwise. Call the web "ephemeral by default" if you will... which sort of equates to "secure by default". I do not buy the argument that service workers are no worse than the static HTTP cache...
"Consider, for example, that the HTTP cache ... do not/did not prompt the user."
... I just don't buy that argument, not for an instant.
The Chrome team also write:
"Another way to avid SWs is to use one of the browsers that don't (yet) support SWs. But, eventually, the Open Web Platform will continue to evolve into a powerful, useful platform supporting applications that are secure, linkable, indexable, composable, and ephemeral. Yes, SWs make web apps somewhat less ephemeral, but we believe the increased applicability of the OWP is worth it."
Ok. So fair enough. But give me the choice! Personally, I place a very, very high weight on web content being ephemeral. If I close it and did not explicitly grant it permission to continue to exist, it should be gone. Beyond the basic, static cache, I don't want anything to remain.
EDIT:
Why doesn’t Chrome prompt the user before registering a Service Worker?
The Chrome Team generally prefers to ask people about things that are privacy-relevant, using nouns and verbs that are simple and precise (camera, mic, geo-location, and so on). But we avoid asking questions about resource-use (caching, persistence, CPU, and so on). We’re better prepared to make those types of resource decisions automatically.Er. Ahem. Sorry. No, you are definitely not. That's exactly the sort of thinking that lead to the invention and eventual ubiquity of several other web abominations. Third-party cookies, for example, should simply never have been a Thing in the first place!
Vivaldi bills itself as a browser that gives me back the control. That's the beginning and end of the reason why I love Vivaldi. So give me control over service worker policy, too, please!
-
@stephenm Reading that link, it says
You can disable SWs by disabling storage in chrome://settings. SW are gated on cookie/local data storage settings. (That is, the Block sites from setting any data radio button in Content Settings.)
To me, this is starting to look like it could be related to @luetage's post here: https://forum.vivaldi.net/topic/24235/better-cookie-management
More user choice and granularity of said choices is always great, even if it is always on by default.
-
@lonm I did read that on the Chrome documentation link.
I also thought it wasn't very helpful that the same setting is used for both service-workers and static, non-executable storage like cookies. Because service-workers and cookies are two entirely distinct concepts. Given that Vivaldi provides me with an option to block all third-party cookies (the very first feature I enabled when I migrated, thanks Vivaldi!), I do not really consider cookies to be a major risk and choose to leave first-party cookies enabled because session cookies are rather necessary in my opinion. Service workers, however, are seriously concerning and provide no utility on 99.999999% of sites.
What if I want to allow sites to set data (cookies) but just prevent them from registering scripts that continue running when I close those sites? Even if that lifetime is limited, I don't like it! It's another attack surface.
Thanks for the link to the other suggestion, though. The two requests are more or less the same, in essence: give us more control over our security policies.
