Re: [w3c/ServiceWorker] Foreign fetch vs non-credentialed requests (#878)

@annevk Right, DDoS was the big concern.

Suppose you have a forum or other site that allows the posting of safe non-active content only, but allows you to embed third-party images.  Many sites do allow that, and consider img tags safe.  (I agree that they should take more care to avoid tracking, yes.)  If someone linked to 100 images in an effort to DoS some other site, that's easy to notice and ban.  But someone could link an image or two from a cooperating server, that image could serve a foreign-fetch service worker, and that foreign-fetch service worker could make a large number of requests to third-party sites.  And as long as the image itself shows up correctly, it's harder to notice the subtle DDoS via the foreign-fetch service worker (complete with amplification attack).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/878#issuecomment-250516355

Received on Thursday, 29 September 2016 16:21:58 UTC