[w3c/ServiceWorker] Allow `None` as value for `Service-Worker-Allowed`. (#1165) from Surma on 2017-06-30 (public-webapps-github@w3.org from June 2017)

From: Surma <notifications@github.com>
Date: Fri, 30 Jun 2017 15:09:21 +0000 (UTC)
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1165@github.com>

In a multi-tenant system, where untrusted users have control over subdirectories, it would be nice to disable ServiceWorkers completely for paths outside the “user’s jail”.

Here’s an example:

```
/
|
+- /users
   |
   +- /userA
   +- /userB
   +- ...
+- /data
+- ...
```

A simple oversight like a missing trailing slash (`/users/userA` instead of `/users/userA/`) could allow installing a ServiceWorker outside the user’s jail.

Currently, you can kinda disable ServiceWorker by setting a non-sensical value for the `Service-Worker-Allowed` header, but I’d prefer a more semantic `None` (or similar).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1165

Received on Friday, 30 June 2017 15:09:56 UTC