- From: Jake Archibald <notifications@github.com>
- Date: Sun, 29 May 2016 11:14:56 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc:
Received on Sunday, 29 May 2016 18:15:26 UTC
Yeah this is exactly why we made this restriction. On Sun, 29 May 2016, 10:57 Andrew Sutherland, <notifications@github.com> wrote: > It seems like this would enable persistent XSS attacks. Being able to > execute code once in the origin allows you to control everything that > happens in the future on the origin. In contrast, by requiring a URL, you > need to be able to host code on the origin which is a significantly higher > bar and requires some intent on the part of the origin. This is especially > relevant in a world where many sites may load third-party JS like ad > scripts or analytics. > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://github.com/slightlyoff/ServiceWorker/issues/902#issuecomment-222373642>, > or mute the thread > <https://github.com/notifications/unsubscribe/AAFtmnjJIyQPOFRiac8W-y_Xte5hFG91ks5qGdNqgaJpZM4Ikpba> > . > --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/902#issuecomment-222374562
Received on Sunday, 29 May 2016 18:15:26 UTC