Re: [w3c/ServiceWorker] register() lacks same origin check (#1518) from Marijn Kruisselbrink on 2020-06-15 (public-webapps-github@w3.org from June 2020)

From: Marijn Kruisselbrink <notifications@github.com>
Date: Mon, 15 Jun 2020 09:11:05 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1518/644228611@github.com>

Start Register schedules a "Register" job, which ends up invoking https://w3c.github.io/ServiceWorker/#register-algorithm, which does do same origin checks in step 2 and 3 (the "referrer" is set to "client's creation URL" in the register() method.

This definitely could be cleaned up more to make it clearer. I remember there was a good reason for making this this complicated back when I spec'ed header-based installation, but that was a bad idea anyway. So probably it could be done much more straight forward.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1518#issuecomment-644228611

Received on Monday, 15 June 2020 16:11:18 UTC