- From: Jake Archibald <notifications@github.com>
- Date: Tue, 09 Jun 2015 08:37:42 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Tuesday, 9 June 2015 15:38:16 UTC
Yeah, but in those cases a new SW can come in and attempt cleanup. Cookie bombing prevents that happening. I'm not sure we should do something specific in service worker for cookie bombing, but browsers should do something to combat it. I suggested this to our security team: > If the browser makes a GET request that fails, and the cookies look "well dodgy", could try a request to the same url without credentials, and if it 200s (or 300s?) could we suggest to the user that their local state may be broken, & do they want to clear it? --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/704#issuecomment-110406094
Received on Tuesday, 9 June 2015 15:38:16 UTC