Re: [w3c/ServiceWorker] serviceworker for iframes with srcdoc (#765) from Andrew Sutherland on 2016-11-16 (public-webapps-github@w3.org from November 2016)

From: Andrew Sutherland <notifications@github.com>
Date: Wed, 16 Nov 2016 12:18:07 -0800
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/765/261059434@github.com>

Taking a step back to the use-case (as a reformed HTML/JS email app developer myself), I think the scenario is that the page is embedding third-party content (emails, rich HTML "chat" messages, tweets, maybe ads when the ad-blocker wars get worse) and Service Workers provide a simple abstraction to control remote network access in a powerful way that the sandbox attribute and CSP do not and cannot.  The alternative to using Service Workers in these cases is to use data documents and understand 100% of the semantics of the HTML nodes and CSS rules applied to them in order to re-write or block the remote network accesses depending on the goals[1].

I think it's worth asking whether it's more appropriate to create a logically distinct affordance like "sandboxfetch" to explicitly recognize this use-case and enable good hygiene rather than have it depend on a carefully defined spec grey-zone.  There's been interest in ideas like this before, see the [public-webappsec Jan 2016 discussion on "In-browser sanitization vs. a “Safe Node” in the DOM"](https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0113.html) and [Feb 2016 follow-up thread](https://lists.w3.org/Archives/Public/public-webappsec/2016Feb/0030.html).

The primary benefit from such an approach would be to enable clever use of ServiceWorkers with embedded third-party content without enabling a class of XSS "gotcha!" where malicious sandboxed content is able to leverage naive ServiceWorker implementations.  With explicit "sandboxfetch", the ServiceWorker author has to opt-in to handling the logic rather than being surprised.

1: For the example of an email app, goals would be as follows, with https://github.com/cure53/DOMPurify a common implementation choice:
- Display embedded attachments (via re-written "cid:" URI scheme or implicitly embedded via attachment type which had a synthetic HTML element injected).
- Privacy: not loading remote resources like 1-pixel webbugs without explicit user approval.
- Offline: display pre-cached or previously loaded external resources from local storage.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/765#issuecomment-261059434

Received on Wednesday, 16 November 2016 20:18:42 UTC