Re: [ServiceWorker] WindowClient.navigate() for the same origin but off-scope clients (#752) from John Mellor on 2015-10-20 (public-webapps-github@w3.org from October 2015)

From: John Mellor <notifications@github.com>
Date: Tue, 20 Oct 2015 08:09:12 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/752/149596013@github.com>

It seems `clients.matchAll({ includeUncontrolled: true })` combined with navigation of off-scope clients would allow a https://www.stanford.edu/~username/ tab to navigate another independent https://www.stanford.edu/ tab to a spoof URL, which isn't otherwise possible.

This seems like a general problem with off-scope WindowClients though, not one specific to navigate().

Perhaps you should only be able to access WindowClients that match the `maxScopeString` defined by the [Update algorithm](https://slightlyoff.github.io/ServiceWorker/spec/service_worker/#update-algorithm) (even if you pass `includeUncontrolled:true` to `matchAll`).

@jakearchibald 

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/752#issuecomment-149596013

Received on Tuesday, 20 October 2015 15:10:58 UTC