Re: [w3c/ServiceWorker] Create service worker from Blob/String URL (#578) from nin-jin on 2022-09-22 (public-webapps-github@w3.org from September 2022)

From: nin-jin <notifications@github.com>
Date: Thu, 22 Sep 2022 14:02:47 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/578/1255545099@github.com>

> The problem is that to unregister you need to first actually get to get code to run on that origin. If the service worker doesn't have an actual network url to check for updates, the service worker can just intercept all navigation, and never let any new request to the server actually reach the server, so even fixing the server won't enable fixing the clients. Basically the entire 24 hour update check wouldn't be possible anymore with blob urls.

But this is exactly what is needed to protect against server compromise. The current serviceworker downloads a new one, checks its digital signature and only then initiates an update.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/578#issuecomment-1255545099
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/578/1255545099@github.com>

Received on Thursday, 22 September 2022 21:02:59 UTC