- From: Daniel Abrecht <notifications@github.com>
- Date: Sat, 19 Aug 2023 07:06:30 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 19 August 2023 14:06:36 UTC
I'm currently developing an SSO solution, and ran into some difficulties: https://github.com/Daniel-Abrecht/dpa-sso#security-relevant-limitations To sum it up, I can't rely on cross origin cookies to store a session token, because browsers allow disabling them nowadays. For that reason, I pass it to a well known location at the origin which needs the token as a get parameter. If that origin has a service worker installed, it could intercept that token. For some applications, that may be desirable, but for others, it could be problematic. I'm still looking for a safer way to pass the token, but it would be nice to also have a way to prevent a service worker from handling requests to certain locations too. For that reason, I propose adding a `Service-Worker-Exclude` header, that would have some similarities to the `Service-Worker-Allowed` header. I would like it to work as follows. `Service-Worker-Exclude` should contain a list of locations who will not be handled by the service worker and just bypass it entirely. It should be set when installing the service worker. That way, I could, for example, make sure the entire `/.well-known/` directory won't be handled by a service worker. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1690 You are receiving this because you are subscribed to this thread. Message ID: <w3c/ServiceWorker/issues/1690@github.com>
Received on Saturday, 19 August 2023 14:06:36 UTC