Re: [w3c/ServiceWorker] consider allowing a non-scope identifier for registrations (#1512) from Andrew Sutherland on 2020-07-30 (public-webapps-github@w3.org from July 2020)

From: Andrew Sutherland <notifications@github.com>
Date: Thu, 30 Jul 2020 13:48:21 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1512/666686082@github.com>

@wanderview Elaborating on my original concern in https://github.com/w3c/ServiceWorker/issues/1512#issuecomment-610684558 I'm not sure from your description in https://github.com/w3c/ServiceWorker/issues/1512#issuecomment-666454901 how this prevents an end-run around https://w3c.github.io/ServiceWorker/#path-restriction by stealing existing controlled clients.  Can you expand on how your prior comments interact with your current proposal given the following scenario:
- A SW was installed on a site with scope "/send-money/" and defaulted id is "/send-money/".  It hosts a UI for sending money that's protected by some type of 2nd factor code.
- A partial site compromise allows an attacker control over static content hosted at "/about/" including the ability to host a ServiceWorker script there, but no higher.
- A user goes to /send-money/ to send money.  They click on the "/about/" link to open in a new tab or a pop-up because they want to check something out or there's some ill conceived iframe stuff going on.
- The "/about/" page does `register('/about/evil-mitm-sw.js', {id: '/send-money/', scope: '/about/' })` and "evil-mitm-sw.js" does skipWaiting() and is thereby able to take control of the existing controlled clients and intercept their network requests.  It re-writes the target bank account numbers in the intercepted fetch requests for the transfer or something, which is a plausible nefarious thing that CSP can't stop, why not.

Note that I'm not suggesting that https://w3c.github.io/ServiceWorker/#path-restriction is going to moot the massive badness of such a hypothetical compromise given that same-origin is where the actual security boundary is, but https://w3c.github.io/ServiceWorker/#path-restriction is an existing protection that is stricter than same-origin and we should be intentional about weakening or removing it.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1512#issuecomment-666686082

Received on Thursday, 30 July 2020 20:48:33 UTC