- From: Hugo Landau <notifications@github.com>
- Date: Thu, 18 May 2023 13:49:50 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/ServiceWorker/issues/1680@github.com>
I think it would be valuable to support SRI for service worker JS files. Reasoning: There's a lot of controversy about web-based crypto applications. Namely, that they're never truly secure because they can be compromised by changing the code shipped to the client implementing the crypto, and there's a lack of visibility for client-side code updates on the web. If a service worker could be constrained to have a specific hash, that service worker could, in turn, implement a site-specific content verification policy. It could, for example, chainload another service worker file after verifying a cryptographic signature, so it wouldn't prevent frequent updates. Applications would be free to define policies around those updates that quell any concerns about the visibility of future updates to a codebase. As an arbitrary example, signatures from multiple unrelated parties could be required. Having verified a service worker implementing such a trust policy, the use of such a service worker would be verified simply via its hash. Thus adding SRI for service workers has the potential to create a programmable root of trust for an entire website. In particular, service workers are designed to have great longevity as things a browser remembers. I could envisage someone developing an addon that ships a preloaded list of service worker SRI pins for popular origins providing cryptographic applications. People could update their list of pins based on what they're willing to trust, which would make code updates more visible for high-security web applications. These aren't the only use cases; if you don't find them compelling, there are others. Because a service worker has extremely powerful control over an origin, and is remembered for long periods, a compromised service worker file is potentially one of the most disastrous things that could happen to a site. I'd therefore argue that extending SRI to service workers would in general be quite valuable. Proposed API: Add an integrity field to the options object passed to ServiceWorkerContainer.register(). Originally proposed in the [SRI repo](https://github.com/w3c/webappsec-subresource-integrity/issues/66) but moving it here as this appears to be the correct repository for discussion. This is also related to #822 but proposes a different, and arguably much simpler solution for a related set of use cases. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1680 You are receiving this because you are subscribed to this thread. Message ID: <w3c/ServiceWorker/issues/1680@github.com>
Received on Thursday, 18 May 2023 20:49:56 UTC