Re: [w3c/ServiceWorker] Support No-Vary-Search header in Cache API (Issue #1798) from Adam Rice on 2025-11-07 (public-webapps-github@w3.org from November 2025)

From: Adam Rice <notifications@github.com>
Date: Fri, 07 Nov 2025 00:53:09 -0800
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1798/3501353935@github.com>

ricea left a comment (w3c/ServiceWorker#1798)

> Specifically, it seems like if the malicious page is the top-level browsing context and the browser is partitioning, then any fetches made by the (first-party) ServiceWorker will themselves be partitioned with the malicious site as the partition key, so the only way any entropy could be extracted is if the malicious page convinces the user to log into the site in an iframe (thereby having the partition key).

In Chrome cookies are not partitioned. In the default configuration, third-party cookies are enabled, so if the user has logged into `target` in any context the attack will work, with no user action required.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1798#issuecomment-3501353935
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/1798/3501353935@github.com>

Received on Friday, 7 November 2025 08:53:13 UTC