diff --git a/Optional-Hardening.md b/Optional-Hardening.md index 083a1d8..c41c118 100644 --- a/Optional-Hardening.md +++ b/Optional-Hardening.md @@ -210,13 +210,22 @@ For Option 2, you can create exceptions to stay logged in to some sites between *** ### Service Workers -Service workers cache a web page's content before it loads, which allows the content to load a few milliseconds faster on return visits. Service workers also let you receive [push notifications](https://support.mozilla.org/en-US/kb/push-notifications-firefox#w_how-do-i-stop-firefox-asking-me-to-allow-notifications) from sites even after you close the site, behavior which Betterfox [blocks](https://github.com/yokoffing/Betterfox/blob/392c62a03c0d63e323a9aae55bc9aff87454db16/Securefox.js#L1461-L1467) by default. +Service workers are JavaScript files that act as proxies between your browser and a website's server. Service workers cache a page's content so return visits load a few milliseconds faster. They also allow you to browse a site offline. -Service workers also persist after you close the tab and maintain contact with the remote server. For instance, sites like Reddit use them for caching notifications when the site isn't loaded and telemetry (notification interactions). You can see yours at `about:serviceworkers`. +Service workers let sites send you [push notifications](https://support.mozilla.org/kb/push-notifications-firefox#w_how-do-i-stop-firefox-asking-me-to-allow-notifications) after you close the tab, which Betterfox [blocks](https://github.com/yokoffing/Betterfox/blob/392c62a03c0d63e323a9aae55bc9aff87454db16/Securefox.js#L1461-L1467) by default. They also keep running after you close the tab and stay in contact with the server. Reddit, for example, uses them to cache notifications and track how you interact with them. You can review your own at `about:serviceworkers`. -Service workers phone home to sites you’ve already closed; and when you close a tab, you likely don’t want that site sending you notifications anyway. The minor speed improvement is not worth the loss of control. +So why disable them? Service workers phone home to sites you've already closed, and once you close a tab you probably don't want that site pinging you anyway. -This is a pretty mild setting to disabled. I've left service workers disabled for months and never ran into any site issues. +Service workers enhance a site rather than replace its core features, so if your browser doesn't support them, the site still works normally. On the very first visit to a web page that installs a new service worker, the initial visit to a page provides its baseline functionality while the service worker downloads. After a service worker is installed and activated, it controls the page to offer improved reliability and speed. (See [here](https://developer.chrome.com/docs/workbox/service-worker-overview/) and [here](https://firefox-source-docs.mozilla.org/devtools-user/application/service_workers/index.html)). + +#### Option 1: Private Browsing only + +```javascript +// PREF: disable service workers in Private Browsing windows +user_pref("dom.serviceWorkers.privateBrowsing.enabled", false); +``` + +#### Option 2: Normal and Private Browsing ```javascript // PREF: disable service workers @@ -225,7 +234,22 @@ user_pref("dom.serviceWorkers.enabled", false); user_pref("dom.serviceWorkers.privateBrowsing.enabled", false); ``` +#### Option 3: Adblock +You can use adblock rules to customize an allowlist and denylist with uBlock Origin. + +```adblock +! Block service workers +*$csp=worker-src 'none' +! Exceptions (allowlist): +@@||chat.google.com^$csp=worker-src 'none' +@@||mail.google.com^$csp=worker-src 'none' +@@||meet.google.com^$csp=worker-src 'none' +@@||messages.google.com^$csp=worker-src 'none' +@@||outlook.office.com^$csp=worker-src 'none' +``` + *** + ### Storage Access Heuristics For web compatibility reasons, Firefox will dynamically grant unpartitioned access to third-party cookies for 30 days in certain scenarios which require user interaction. For example, if you click a **Login with SSO** button on a website, Firefox will grant the SSO provider storage access to the website you clicked that button on for 30 days.