- From: Charles Reis <notifications@github.com>
- Date: Tue, 14 Apr 2020 14:52:47 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 14 April 2020 21:53:00 UTC
Our general goal with CORB was to only let cross-origin responses into the renderer process if they could be legitimately used as subresources (e.g., in script tags, image tags, etc), or if they were allowed via CORS. The blocking logic didn't care how the renderer process actually asked for the response (e.g., via ServiceWorker vs script tag), since a compromised renderer could claim to use whatever request type would let it get the most data. Thus, CORB blocks things like HTML, XML, and JSON whether a ServiceWorker is asking or not. It does sound like this trick would let an origin try to run more things as script than usual, so I'm happy to see you all talking about ways to address it. I don't have strong feelings about how or where in the spec it goes, though. I only suggest that you avoid having the CORB part of the spec depend on how the content was requested (e.g., whether it was from a ServiceWorker), since that can be forged. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1509#issuecomment-613699777
Received on Tuesday, 14 April 2020 21:53:00 UTC