- From: John Mellor <notifications@github.com>
- Date: Tue, 27 Oct 2015 08:00:08 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Tuesday, 27 October 2015 15:00:41 UTC
This would also make XSS more powerful. Imagine an attacker that installs a Service Worker by exploiting a JSONP endpoint at `https://www.google.com/calendar/api/events?callback=XSS_HERE` (as discussed at https://crbug.com/422966). The `maxScopeString` of such a Service Worker is `/calendar/api/`, so it cannot intercept fetches outside that path, but granting it the ability to navigate off-scope clients would allow attacks like the following: - User opens a new https://www.google.com/ tab. - Malicious Calendar SW navigates this off-scope tab to https://www.google.com/calendar/api/foo, so that it becomes on-scope. - Malicious Calendar SW spoofs the Google homepage, and uses `history.replaceState()` to change the apparent URL of the spoofed homepage (displayed in the location bar) to "https://www.google.com/". - This attack is likely impossible for the user to detect without inspecting the HTML source. Did the F2F discuss such risks? --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/752#issuecomment-151530669
Received on Tuesday, 27 October 2015 15:00:41 UTC