- From: Jake Archibald <notifications@github.com>
- Date: Sun, 31 Jul 2016 16:08:52 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Sunday, 31 July 2016 23:09:21 UTC
@horo-t > We disallow mixing ranged responses from different origins. This may not be enough. Imagine a request for `<script src="//other-origin/private-data">` which (somehow) was requested in three ranges. I could satisfy them with: * `//other-origin/data.js` which I knew started ``var whatever = ` `` * `//other-origin/private-data` * `//origin-origin/data.js` which I knew ended `` `; `` …which would give me access to the private data. I realise script isn't requested with ranges, but there may be similar attacks with media? If so, we can ensure that for media using opaque responses, each response must have a first item in the [url list](https://fetch.spec.whatwg.org/#concept-response-url-list) that matches the request url. I'm hoping this caters for single-resource media, but also things like DASH that are made up of multiple parts. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/703#issuecomment-236462490
Received on Sunday, 31 July 2016 23:09:21 UTC