Re: [ServiceWorker] Should window.caches be removed (or readonly) for security reasons? (#698)

Thank you Jake for your feedback.

Of course you should never include scripts from untrusted sources. However, it is and will be done for a long time. You could also argue, that if you control an executed script you could just write whatever content into the DOM. Yes, but the consequences of the attack will not (possibly) persist forever (after the attacking code was removed).

I agree that other APIs are vulnerable in such a scenario too. However, a cache API will represent a much more interesting point of attack. By having access to the cache API you do not need any knowledge of the website or application. And again, the consequences of the attack will possibly persist forever.

Your localstorage examples has two big differences:
1) You need to have understanding of the website you want to attack. Infecting an "untrusted" source (in a very bad scenario that could be the jquery CDN) will not have an impact on all consumers. 
2) The only reason this attack works is because the vulnerable websites are simply inserting the content from localstorage into the DOM. The attack could be prevented by checking the content before inserting. How can you prevent abuse of the cache API (besides not including external scripts)?

To have the web platform be able to compete with native it also has to be secure. I love the idea to make new API HTTPS-only and even discuss moving older APIs to HTTPS-only. I understand that `window.caches` offer some convenience. I just think that by removing `window.caches` the whole ServiceWorker spec would become more secure by default. If you decide to use `importScripts` then it's your decision and that comes with it's own implications.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/698#issuecomment-104924069