- From: Andrew Sutherland <notifications@github.com>
- Date: Sun, 29 May 2016 10:57:04 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc:
Received on Sunday, 29 May 2016 17:57:42 UTC
It seems like this would enable persistent XSS attacks. Being able to execute code once in the origin allows you to control everything that happens in the future on the origin. In contrast, by requiring a URL, you need to be able to host code on the origin which is a significantly higher bar and requires some intent on the part of the origin. This is especially relevant in a world where many sites may load third-party JS like ad scripts or analytics. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/slightlyoff/ServiceWorker/issues/902#issuecomment-222373642
Received on Sunday, 29 May 2016 17:57:42 UTC