- From: Ben Kelly <notifications@github.com>
- Date: Sat, 23 May 2015 10:49:48 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Saturday, 23 May 2015 17:50:16 UTC
> The only reason this attack works is because the vulnerable websites are simply inserting the content from localstorage into the DOM. The attack could be prevented by checking the content before inserting. How can you prevent abuse of the cache API (besides not including external scripts)?
I think you mean check the content when *retrieved* from localStorage. And you could do the same thing with Cache API in your service worker script.
I tend to agree with Jake here, but maybe we could add an extra safety belt.
For example, a `cache.match(url, { trusted-only: true })` option. When set this would require that the security info (cert) associated with the Response must match the request URL and be computed as trusted.
---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/698#issuecomment-104929439
Received on Saturday, 23 May 2015 17:50:16 UTC