Re: [ServiceWorker] Passing a scope or scriptURL to register() with escaped '/' or '\ should fail (#630) from Matt Falkenhagen on 2015-02-20 (public-webapps-github@w3.org from February 2015)

From: Matt Falkenhagen <notifications@github.com>
Date: Thu, 19 Feb 2015 23:26:51 -0800
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/630/75199693@github.com>

(hit enter too early)

Depending on the server configuration, it's possible for someone to easily break the path restriction: put a script at /users/~mattto/sw.js then register('/', '/users%2f~mattto%2fsw.js') passes is accepted.

Of course, the path restriction is inherently not very secure, but this happened in the wild and Chrome now rejects register() calls escaped slashes in scope or scriptURL.


---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/630#issuecomment-75199693

Received on Friday, 20 February 2015 07:27:21 UTC