Re: [ServiceWorker] Should window.caches be removed (or readonly) for security reasons? (#698) from Ben Kelly on 2015-05-28 (public-webapps-github@w3.org from May 2015)

From: Ben Kelly <notifications@github.com>
Date: Thu, 28 May 2015 10:13:54 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/698/106497930@github.com>

Is this only an issue for non-trusted (http://) resources?

It seems if a SW stores an https:// resource and which is then overwritten with a polluted Response, then the polluted Response would be missing the security info for the origin.  I would expect the browser to give a mixed-content warning or something similar when this response is passed to respondWith().

I guess the spec does not define how to trust or not-trust synthetically created responses, though.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/698#issuecomment-106497930

Received on Thursday, 28 May 2015 17:14:23 UTC