Re: [w3c/ServiceWorker] Create Service Worker from Blob/String that does not persist and auto claims for testing (Issue #1642) from Andrew Sutherland on 2022-05-02 (public-webapps-github@w3.org from May 2022)

From: Andrew Sutherland <notifications@github.com>
Date: Mon, 02 May 2022 08:33:33 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1642/1115040528@github.com>

I understand the intent of this request to be similar to https://github.com/w3c/ServiceWorker/issues/1437 but also requesting a relaxation of the fundamental security path constraint.  Specifically, the goal is to have the special powers of a ServiceWorker in terms of fetch interception and being marked as the controller, and there's no expressed desire to have a real scope, but rather to control the current page or an iframe.  That issue, however, is not requesting relaxation of the path constraint, but instead powers over a non-same-origin iframe.

This proposal doesn't address the fundamental security problem of step 8 [of the update algorithm](https://w3c.github.io/ServiceWorker/#update-algorithm) which enforces path constraints.  Given the rest of the existing spec text, any ServiceWorker registered even ephemerally would still be able to intercept any page on the origin, which would still make this a potential means of XSS, just ephemeral to a browser session.  If the registration were to somehow not have a scope so it only matches the current page, that would conceptually side-step the interception concern, but it's also an entirely new thing that would increase implementation complexity in a way that would have security concerns.

For the use-case of ServiceWorker testing on code editor sites, are the sites preventing use of ServiceWorkers (in which case perhaps an alternate site like glitch.com should be used), or is this a desire to clean up?  For clean-up, a ServiceWorker registration can be unregistered while still controlling a page, and so once the page is claimed, unregister could be called.  Additionally, as a meta thing, I believe that for Firefox our tracking protection logic may already, and potentially our QuotaManager logic will soon, more aggressively clear data for origins that were visited once and then never again so a unique origin leaving behind a ServiceWorker isn't a major concern.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1642#issuecomment-1115040528
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/1642/1115040528@github.com>

Received on Monday, 2 May 2022 15:33:46 UTC