- From: BlobTheKat <notifications@github.com>
- Date: Sat, 08 Jun 2024 09:42:02 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 8 June 2024 16:42:06 UTC
Exposing access to `caches` with `{credentials: 'omit'}` could allow an untrusted worker running on a web page to overwrite existing cache entries, where it could inject an arbitrary script that would be run the next time the page is loaded. Such a script would then have not just one-time but permanent access to the page's credentials.
Currently both `localStorage` and `indexedDB` are inaccessible for workers with this option, this should also be made the case for `caches`
--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1721
You are receiving this because you are subscribed to this thread.
Message ID: <w3c/ServiceWorker/issues/1721@github.com>
Received on Saturday, 8 June 2024 16:42:06 UTC