- From: Surma <notifications@github.com>
- Date: Fri, 30 Jun 2017 15:09:21 +0000 (UTC)
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 30 June 2017 15:09:56 UTC
In a multi-tenant system, where untrusted users have control over subdirectories, it would be nice to disable ServiceWorkers completely for paths outside the “user’s jail”. Here’s an example: ``` / | +- /users | +- /userA +- /userB +- ... +- /data +- ... ``` A simple oversight like a missing trailing slash (`/users/userA` instead of `/users/userA/`) could allow installing a ServiceWorker outside the user’s jail. Currently, you can kinda disable ServiceWorker by setting a non-sensical value for the `Service-Worker-Allowed` header, but I’d prefer a more semantic `None` (or similar). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1165
Received on Friday, 30 June 2017 15:09:56 UTC