Re: [slightlyoff/ServiceWorker] Foreign fetch vs non-credentialed requests (#878) from Ben Kelly on 2016-04-15 (public-webapps-github@w3.org from April 2016)

From: Ben Kelly <notifications@github.com>
Date: Fri, 15 Apr 2016 09:57:57 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/878/210546260@github.com>

> And what exactly is the attack model here? If B is used everywhere and wants to track, it can already do so, with or without credentials, and even better the moment we let it run scripts.

Well, as I understand it, CSS @FontFace loads without crediantials.  If B is hosting a font, suddenly it can now register a foreign fetch service worker and get a tracking cookie delivered with all those font loads.

I guess what you are saying, though, is that since B can run script in the service worker anyway it could just store its own cookie in IDB and send it along in the URL query field.  Is that correct?

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/878#issuecomment-210546260

Received on Friday, 15 April 2016 16:58:42 UTC