[ServiceWorker] ServiceWorker scriptURL XSS Filtering (#743)

In response to [1], we've been trying to come up with a good heuristic for detecting reflected XSS in the Chrome implementation of Service Workers. The latest (from johnme@, on [2]; and implemented as [3]) is:

> If the URL of a script subresource contains a string longer than 20 characters and containing characters other than [\w.] that gets reflected within the script (or perhaps only near the beginning), then stop executing that script.

(N.B.: The implementation "blocks segments (separated by = and &) in the query string, that appear anywhere in the service worker script, as long as they are >= 20 bytes," which is only mostly the same.)

Though simple, either strategy places severe restrictions on use of the query string in the scriptURL for dynamically-generated Service Workers. As far as I can tell, though, most sites using Service Worker today do not use the query string for any content, let alone dynamic, reflected, XSS-y stuff, and so would not be affected by this change.

Thoughts?

[1]: https://twitter.com/homakov/status/631134517215002624
[2]: https://code.google.com/p/chromium/issues/detail?id=422966
[3]: https://codereview.chromium.org/1308703002

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/743

Received on Tuesday, 1 September 2015 04:48:04 UTC