Re: [ServiceWorker] Should window.caches be removed (or readonly) for security reasons? (#698) from Jake Archibald on 2015-05-14 (public-webapps-github@w3.org from May 2015)

From: Jake Archibald <notifications@github.com>
Date: Thu, 14 May 2015 09:46:21 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/698/102099352@github.com>

> I believe that a combination of `window.caches` and `cache.put` gives a script loaded from a foreign origin the opportunity to add/update resources into the caches with malicious content.

It can, yes. It can also poison localstorage, indexeddb, cookies, change the destination of forms (such as logins), listen to all the user's keypresses etc etc. Basically, *never* let an untrusted source execute code on your origin.

> Remove window.caches.

I don't think so. Caches aren't special here. If you let an evil third part run code on your origin, you're pretty screwed.

> To me having the caches available on window seems like leaking SW internals into global scope

Caches aren't SW internals, they're just a storage system like indexeddb & localstorage.

> Messing with caches should only be allowed within service worker (as same origin is guaranteed).

Same origin isn't guaranteed within a SW. You can use `importScripts` to pull in scripts from other origins. As with all scripts, only pull in scripts you trust.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/698#issuecomment-102099352

Received on Thursday, 14 May 2015 16:47:26 UTC