- From: Jonas Sicking <notifications@github.com>
- Date: Fri, 12 Feb 2021 21:32:13 -0800
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 13 February 2021 05:32:26 UTC
I'm curious how we are thinking about the issue here in relation to the fact that a lot of the same information is exposed through the CSSOM in most major browsers, Safari and Chrome included [1]. What would be the security win if we just fix this issue without also fixing the CSSOM issue? Are there plans to also fix the CSSOM issue? Has any experiments been done to see what percentage of websites would be impacted? Or any experiments shipped with that support disabled? I'm also curious if anyone has heard of this issue leading to security problems? This design has been shipping for several years now so we've had opportunity to see if this is a real-world problem or just a theoretical one. I think it's well established that no-cors cross-site stylesheets has lead to security issues (as referenced in [2]). However the question at hand in this issue is if locking down URL access while still exposing a lot of other properties provides meaningful security benefits. [1] https://jsbin.com/pigihubuxa/edit?html,output [2] https://github.com/w3c/ServiceWorker/issues/719#issuecomment-433819735 -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/719#issuecomment-778566919
Received on Saturday, 13 February 2021 05:32:26 UTC