Service Worker Accountability
The Web
Users freely give away
… compute
… storage
… network access
… energy/battery
And we all benefit
The Old Web
Sites gain access to resources with
… an open tab
… a frame in open tab
This establishes a simple rule:
What you can’t see can’t hurt you
Permissions Never Granted Can Still Be Revoked
Limiting how user resources are exploited is important
Visibility is a fundamental part of what makes sites accountable
This is a small part of what makes the web wonderful
It is easier to ask forgiveness than it is to ask for permission
Asking For Permission
A bunch of APIs now ask permission to do special things
Users expect this level of control, expect to be asked
Asking Permission Is No Free Pass
Obtaining consent is hard
… you have to be sure that the question is understood
… sometimes consent can be accidental
Maintaining accountability is critical
… show an indicator when in use
… easy access to revoke permission
What you can’t see can still hurt you
New Web Features
Background Sync - mainly periodic sync
All run code when stuff elsewhere happens
How do we continue to maintain accountability?
Other Costs: Tracking
Network access at arbitrary times is a real privacy threat
Tracking by geoip can be highly effective
Geofencing is basically physical tracking
Hard Questions
The web benefits greatly from these features
However, we risk losing accountability
Crippling features in pursuit of some ideal is self-defeating
… we might accidentally do this several times before we work this out
Bad options and experiments
Option: Do Nothing
These features are all great and we don’t think that they will ever be abused
Option: Maintain Visibility
Ensure that if there is activity, it is visible
… couple this with easy methods of revoking access
Chrome has done this for Push with a userVisibleOnly option
Might not work for background sync or geofencing
… if the indicator is always on this fails
Option: Task Manager
That’s how it’s done for most operating systems
Option: Quota
Limit access to the API
… in time
… number of activations
… or something else
Option: Some Combination
The ultimate solution seems likely to be a combination of approaches
Maybe with something else that I haven’t thought of?
The Firefox Push Experiment
Sites are given a time-based quota (3 weeks)
The quota is refreshed each time the page is visited
Activation duration reduces this quota (quadratically)
Push messages reduce the quota proportionally (10-25% of remaining time)
… unless there is a notification visible after the message is processed (~3s)
One final message is delivered after quota runs out
Future Experiments
Might give more quota, or reduced cost to sites that users trust
… but what does that mean anyway?
Backup
Service Workers and Fetch
fetch and foreignfetch interception only happen if something fetches
Using fetch requires a context that is active
Activity in the intercept can be attributed to the active context