Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workers test throwing unsupported on Safari 17.3 #259

Open
Joe12387 opened this issue Feb 14, 2024 · 10 comments
Open

Workers test throwing unsupported on Safari 17.3 #259

Joe12387 opened this issue Feb 14, 2024 · 10 comments
Labels
help wanted Extra attention is needed unexpected unexpected behavior in browsers

Comments

@Joe12387
Copy link

Hi there.

I noticed that your service worker test does not seem to work properly on Safari as of 17.3 on both macOS and iOS, and it says that all service worker types are unsupported. Correct me if I'm wrong, but I do believe service workers are still a supported feature in Safari and, if my memory serves me, versions of Safari prior to 17.3 worked as expected on this page.

Thanks!

@abrahamjuliot abrahamjuliot added unexpected unexpected behavior in browsers help wanted Extra attention is needed labels Feb 21, 2024
@abrahamjuliot
Copy link
Owner

abrahamjuliot commented Feb 21, 2024

Good catch. It's likely connected with the use of inline workers and modifications implemented here. I will investigate.

@abrahamjuliot
Copy link
Owner

I'm pondering on whether it is worth changing to support Safari. For now, the single file test page works on safari here.
https://abrahamjuliot.github.io/fpworker/

@Joe12387
Copy link
Author

Joe12387 commented Mar 8, 2024

Interesting. DedicatedWorkerGlobalScope in Safari 17.4 on both macOS and iOS is consistent with Window when it comes to canvas, but ServiceWorkerGlobalScope and SharedWorkerGlobalScope do not appear to be applying canvas fingerprinting protections and the hashes remain the same even in a private window. Maybe it's just a bug in your code, but have we found ourselves a fingerprinting vulnerability in Safari?

@abrahamjuliot
Copy link
Owner

A vulnerability seems to be the case. Possibly connected with https://bugs.webkit.org/show_bug.cgi?id=243555.

@Joe12387
Copy link
Author

Apple seems to disagree.

Screenshot 2024-03-14 at 4 23 58 PM

@abrahamjuliot
Copy link
Owner

abrahamjuliot commented Mar 14, 2024

It's likely determined low based on the severity of canvas entropy derived from Apple GPUs. Canvas protections, at best, probably only neutralize annoying cross site trackers.

WebKit hardware acceleration entropy seems fairly uniform within the same OS/browser version. ¯\_(ツ)_/¯

I imagine, they will consider and fix if feasible. I recall Brave had a similar issue and patched.

@Joe12387
Copy link
Author

@Joe12387
Copy link
Author

As it turns out, I just discovered that this affects Firefox as well. Service Workers don't apply canvas protections.

@Joe12387
Copy link
Author

Apple assigned this vulnerability as CVE-2024-27830 and resolved the issue in Safari 17.5. Firefox's issues should be resolved in 127.

Screenshot 2024-06-12 at 5 34 42 PM

@abrahamjuliot
Copy link
Owner

Nice. Thanks for the update @Joe12387

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed unexpected unexpected behavior in browsers
Projects
None yet
Development

No branches or pull requests

2 participants