Bug 263366
Summary: | Advanced Tracking and Fingerprinting Protection Issue with Service Workers | ||
---|---|---|---|
Product: | WebKit | Reporter: | Hannes <hannes.kuhlmann> |
Component: | Service Workers | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED FIXED | ||
Severity: | Normal | CC: | m_finkel, webkit-bug-importer, wenson_hsieh, youennf |
Priority: | P2 | Keywords: | InRadar |
Version: | Safari 17 | ||
Hardware: | All | ||
OS: | All |
Hannes
Overview:
In Safari 17.0, we have observed a bug with the browser's advanced tracking and fingerprinting protection feature. Despite disabling this feature, requests are being blocked when initiated by a Service Worker. This behavior is inconsistent with the expected behavior, where these requests should proceed normally when advanced tracking and fingerprinting protection is turned off.
Steps to Reproduce:
Open Safari 17.0.
Navigate to the test site: https://hannes-test-18.app.baqend.com/safari-cb/index.html.
Allow the Service Worker to install and then refresh the page.
Observe the failure in loading the Reddit tracking script (https://www.redditstatic.com/ads/pixel.js), which is indicated by the error message "Failed to load resource: Resource blocked by content blocker" in the Service Worker logs.
For comparison:
Navigate to https://hannes-test-18.app.baqend.com/safari-cb/index.html?sw=false, which does not utilize a Service Worker.
Observe that the Reddit tracking script loads without any issues.
Expected Behavior:
If the advanced tracking and fingerprinting protection is disabled in Safari, the browser should not block requests, even when they are made by a Service Worker.
Actual Behavior:
Safari 17.0 blocks the requests made by the Service Worker even when the advanced tracking and fingerprinting protection is disabled.
Additional Information:
This issue has been observed in Safari version 17.0 and the current preview version (Release 181 (Safari 17.4, WebKit 19618.1.3.1)).
Other browsers or previous versions of Safari have not displayed this behavior.
The error message observed is "Failed to load resource: Resource blocked by content blocker".
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/117522948>
youenn fablet
The issue seems to be that the DocumentLoader of the service worker has its m_contentExtensionEnablement that is not updated/kept in sync with the page's own DocumentLoader::m_contentExtensionEnablement.
In this particular case, the page is first validating the URL, so we could decide to let the service worker actually load it.
This would not fix the case of service worker doing a load on its own.
EWS
Committed 275970@main (40efee6a397a): <https://commits.webkit.org/275970@main>
Reviewed commits have been landed. Closing PR #25705 and removing active labels.