[ServiceWorker] How to deal with cookie bombing (#704)

@sirdarckcat pointed out the following attack:

An attacker that can execute scripts on an origin (XSS) could add large cookies meaning the ServiceWorker fails to update, as the response would be 500 or similar.

We should try and work around this by doing something like this as part of the update:

1. Let `response` be the result of fetching the SW with credentials
1. If fetch fails & cookies header length is greater than some extreme number of bytes,
  1. Let `response` by the result of fetching the SW without credentials + `Service-Worker: script no-credential-fallback` header
1. (continue update)

+@slightlyoff 

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/704

Received on Wednesday, 27 May 2015 23:25:51 UTC