- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Fri, 13 Feb 2015 12:29:23 +0100
- To: "Eduardo' Vela <Nava>" <evn@google.com>
- Cc: Brad Hill <hillbrad@gmail.com>, Bjoern Hoehrmann <derhoermi@gmx.net>, David Ross <drx@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Feb 13, 2015 at 12:13 PM, Eduardo' Vela" <Nava> <evn@google.com> wrote: > I spent some time trying to make a poor-man EPR with ServiceWorkers and it > didn't work. Since ServiceWorkers dont get invoked on resource requests > (XHR, <img>, etc) then one can't use them to protect against CSRF. Service workers are involved in those fetches. As long as the service worker is controlling the client (document/worker) that initiates them. > That said, ServiceWorkers can be used effectively to "break linking in the > web". Since it's already possible to "break linking on the web" with > ServiceWorkers, we need to either fix SWs, or allow EPR. That's not how it works. Even if Referer or service workers were an effective mechanism, that doesn't mean that we need to add another mechanism. And so far it's still unclear what is being solved in terms of XSS that CSP does not address. And in terms of XSRF, it seems we should prioritize work on cookies. -- https://annevankesteren.nl/
Received on Friday, 13 February 2015 11:29:47 UTC