Re: [ServiceWorker] Should window.caches be removed (or readonly) for security reasons? (#698) from sirdarckcat on 2015-05-28 (public-webapps-github@w3.org from May 2015)

From: sirdarckcat <notifications@github.com>
Date: Thu, 28 May 2015 11:58:24 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/698/106566412@github.com>

wouldn't an XSS be able to bypass the CSP storage restrictions with URL.createObjectURL(new Blob(['<script>caches.keys().then(keys => keys.map(key => caches.open(key).then(cache => cache.add(new Request('/'), new Response(new Blob(["<script>attack<\/script>"], {type: "text/html"}))))))</script>'])) or something like that

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/698#issuecomment-106566412

Received on Thursday, 28 May 2015 18:58:54 UTC