- From: sirdarckcat <notifications@github.com>
- Date: Fri, 22 May 2015 02:20:03 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Friday, 22 May 2015 09:20:49 UTC
Go to: https://googlechrome.github.io/samples/service-worker/prefetch/index.html And then go to the console and type: caches.open('prefetch-cache-v1').then(function(cache){cache.put(new Request('static/pre_fetched.txt', {mode: 'no-cors'}), new Response('<script>alert(1)</script>', {headers: {'content-type': 'text/html'}}))}) And then go to: https://googlechrome.github.io/samples/service-worker/prefetch/static/pre_fetched.txt This allows an XSS in a website to persist on all cached pages used by the service worker. Note this works across subdirectories (caches are scoped per-origin). --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/702
Received on Friday, 22 May 2015 09:20:49 UTC