Re: [w3c/ServiceWorker] Create service worker from Blob/String URL (#578)

It's unfortunate that this is closed because, as it stands, there is no way to fully provide integrity protection to a PWA in the event of server compromise or takeover. This puts PWAs on unequal footing with native apps, which do have the ability _not_ to be updated, or to validate updates as much or as little as they wish.

In fact, if we were talking about a native application which would fetch updates from some endpoint and install them without verification, it'd be considered a glaring security issue.

On the other hand, I understand the concern that implementing this can:

  1. Lock the site owner from the site (accidentally or not), including updating it, and
  2. "A single successful attack on a server could compromise users for a long time"
  
I believe that both of these concerns can be addressed by:

  1. Adding "immutable" service workers. They don't necessarily have to be created using `data:` URLs, a flag would do.
  2. To alleviate XSS attacks, immutable service workers could be validated by some other mechanism, such as a special header with a script hash, or by fetching some well-known URL using a script hash.
  3. To alleviate other attacks, an explicit permission would be requested (and granted) for these types of service workers.
  4. It could even be possible to continuously check for updates, with the difference being that, if there's an update, the user would be warned and, if they proceed, site data would be cleared. This solves the "could compromise users for a long time" part.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/578#issuecomment-2520916661
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/578/2520916661@github.com>

Received on Thursday, 5 December 2024 16:56:32 UTC