[ServiceWorker] Prevent opaque requests being used in response to client requests (#590) from Jake Archibald on 2014-12-12 (public-webapps-github@w3.org from December 2014)

From: Jake Archibald <notifications@github.com>
Date: Fri, 12 Dec 2014 06:12:03 -0800
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/590@github.com>

(for "client requests" see https://www.w3.org/Bugs/Public/show_bug.cgi?id=27595)

If an opaque response is used for a client request, it breaks the security model as you can then inspect the contents of the response if it executes script.

Eg: I could respond to a request for my home page with a no-cors response from gmail, then I can catch one of the script requests it makes & respond with my own request that queries page contents.

@annevk we can easily add this to the ServiceWorker spec, but do you think it fits better in the Fetch spec along with rules like 1.2.2 in https://fetch.spec.whatwg.org/#http-fetch

Chrome seems to already prevent this happening.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/590

Received on Friday, 12 December 2014 14:12:53 UTC