Re: [w3c/ServiceWorker] Add a Service-Worker-Exclude Header (Issue #1690) from Yoshisato Yanagisawa on 2025-02-05 (public-webapps-github@w3.org from February 2025)

From: Yoshisato Yanagisawa <notifications@github.com>
Date: Wed, 05 Feb 2025 02:28:11 -0800
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1690/2636334142@github.com>

I'm revisiting my earlier comment in https://github.com/w3c/ServiceWorker/issues/1690#issuecomment-2614959834 in light of our evolving understanding of the threat model.  Originally, I had assumed a scenario where the server, ServiceWorker script, and the registering page were under the same ownership or at least trusted parties.  I now understand that we need to account for a more hostile environment where each component could be adversarial. This has clarified why the header approach is being considered.

The use of headers brings Content Security Policy to mind.  Since script injection is a primary concern, I would like to understand why using a `<script>` tag with a nonce for `register()` would not be a viable option in this hostile context.  Could you share some insights into the limitations of this approach in this scenario?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1690#issuecomment-2636334142
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/1690/2636334142@github.com>

Received on Wednesday, 5 February 2025 10:28:15 UTC