Re: [ServiceWorker] WindowClient.navigate() for the same origin but off-scope clients (#752) from Jungkee Song on 2015-10-29 (public-webapps-github@w3.org from October 2015)

From: Jungkee Song <notifications@github.com>
Date: Wed, 28 Oct 2015 21:31:01 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/752/152073205@github.com>

Yes, we missed that scenario. The rationale why we decided to return all the client in the origin was https://github.com/slightlyoff/ServiceWorker/issues/428#issuecomment-53413333. However, returning all the clients in the origin **under `maxScopeString`** would make sense to avoid the outlined threat.

> Perhaps you should only be able to access WindowClients that match the maxScopeString defined by the Update algorithm (even if you pass includeUncontrolled:true to matchAll).

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/752#issuecomment-152073205

Received on Thursday, 29 October 2015 04:31:54 UTC