Re: [w3c/ServiceWorker] consider allowing static routing only for "foreign fetch" for anonymous requests (#1024) from Ben Kelly on 2016-12-13 (public-webapps-github@w3.org from December 2016)

From: Ben Kelly <notifications@github.com>
Date: Tue, 13 Dec 2016 06:47:59 -0800
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1024/266757202@github.com>

I think we've mainly be considering static routes as an optimization in the past.  The fact it avoids js, however, makes it also a nice way to restrict arbitrary code execution in dangerous situations.  This could be more of a driver to implement it (for me anyway).

For example, another possible use here would be a CSP directive indicating static routing is allowed, but service worker js should never be executed.  This would allow a site to utilize some of our main use cases while locking down the risk of losing control of their site via some XSS service worker exploit.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1024#issuecomment-266757202

Received on Tuesday, 13 December 2016 14:48:35 UTC