question regarding dom.workers.enabled and security about user.js HOT 8 CLOSED

IMO, no. The FBI exploit used workers and I assume other exploits do too.
I wouldn't advise setting it to true for all pages. (ie. in the user.js)
I'd recommend to either temporarily enable it in about:config before loading those pages, or setup a second profile for those pages if you visit them regularly.
Just my 2 cents

from user.js.

There are often alternatives that work without it: http://regexr.com/
No idea if it's as good as the other one, but if something doesn't work for me I'll find something else that does.

from user.js.

What I have experienced is that Google Street View requires it (Street View only, not maps), requires it means set to true (default). How not to agree with earthlng? But at the same time enabling/disabling on a per-site basis is cumbersome given the sites requiring it are numerous and/or frequently called. There are several add-ons which resume to a toolbar button to simply toggle an about:config setting but unfortunately none that I know that handle this dom.workers.enabled.

On another hand I've encountered no issue setting dom.serviceWorkers.enabled and dom.workers.sharedWorkers.enabled to false.

For a quick access to a given about:config setting it is always possible to create a bookmark of the form, i.e. about:config?filter=dom.workers.enabled which at least makes it faster/easier than opening about:config and retyping the query each time.

from user.js.

@crssi indeed.
Well, if it appears that this dom.workers.enabled is really better set to false than I might very well follow the advise which seems argumented (earthlin:

The FBI exploit used workers and I assume other exploits do too

)

I'd use the about:config?filter=dom.workers.enabled to quickly set it to true when required by a site (Google Street View, regex101.com ...). Cumbersome but again, if that important then perhaps better to false. I'll add an internote (provided by the eponymous FF add-on) to remember.

from user.js.

That's why I have asked :)
Since the reported CVEs were already fixed by FF if I am correct... I know, I know, there might be (and sure are) some unknown exploits.

from user.js.

Looks like the Pwn2Own exploit also used workers. If you need more reasons to disable that shit - well, I'm sorry that's all I got ;)
It's also interesting that the exploited experimental feature was pref-ed off in stable but the code ignored it, at least in one place where it really mattered.

from user.js.

earthlng: Unless there's something more we can help you with here, please consider closing this @crssi

@earthlng Letting this opened will eventually give us more hints. I see there's a quick decision to close issues here. There are a few ones opened now and you can have up to 25 opened issues before the list generates a second pagelist with a bottom link.

I think these opened issues could give more followers, imho.

from user.js.

I moved the comments regarding the broken addon into a new issue here

from user.js.