Re: [slightlyoff/ServiceWorker] Foreign fetch vs non-credentialed requests (#878) from Ben Kelly on 2016-04-15 (public-webapps-github@w3.org from April 2016)

From: Ben Kelly <notifications@github.com>
Date: Fri, 15 Apr 2016 09:41:59 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/878/210540205@github.com>

> @wanderview the moment you allow B to be credentialed you have that problem. And given that existing service workers are credentialed it seems like that will be the common case.

But this is not something you can do with same-origin service workers today.  And letting someone setup a tracker across all sites referencing a third-party font, etc, seems quite bad, no?  It doesn't even need an iframe so protections against 3rd party iframes won't work.

If we change registration to choose "credentialed" vs "non-credentialed", the worker would not be able to be shared with normal same-origin operations any more.  Since we can't trace async operations back to their source event easily we would need to prevent credentialed operations everywhere in the service worker.

A little bit more magical would be to spin up a second worker thread for non-credentialed and flip a flag on ServiceWorkerGlobalScope.  Any code running in this restricted instance of the service worker would fail credentialed network requests.

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/878#issuecomment-210540205

Received on Friday, 15 April 2016 16:42:27 UTC