- From: Jeremy Archer <notifications@github.com>
- Date: Mon, 31 Aug 2015 21:47:32 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
- Message-ID: <slightlyoff/ServiceWorker/issues/743@github.com>
In response to [1], we've been trying to come up with a good heuristic for detecting reflected XSS in the Chrome implementation of Service Workers. The latest (from johnme@, on [2]; and implemented as [3]) is: > If the URL of a script subresource contains a string longer than 20 characters and containing characters other than [\w.] that gets reflected within the script (or perhaps only near the beginning), then stop executing that script. (N.B.: The implementation "blocks segments (separated by = and &) in the query string, that appear anywhere in the service worker script, as long as they are >= 20 bytes," which is only mostly the same.) Though simple, either strategy places severe restrictions on use of the query string in the scriptURL for dynamically-generated Service Workers. As far as I can tell, though, most sites using Service Worker today do not use the query string for any content, let alone dynamic, reflected, XSS-y stuff, and so would not be affected by this change. Thoughts? [1]: https://twitter.com/homakov/status/631134517215002624 [2]: https://code.google.com/p/chromium/issues/detail?id=422966 [3]: https://codereview.chromium.org/1308703002 --- Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/743
Received on Tuesday, 1 September 2015 04:48:04 UTC