W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Service Workers serving Flash content

From: Ben Toews <btoews@github.com>
Date: Wed, 26 Mar 2014 13:02:55 +0100
To: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <5AD8554ABC7A4C8BA3DA0F99242AE6B6@github.com>
Has any thought been given to SWs serving up Flash files from other domains? Flash’s origin restrictions are opposite from the SOP. If evil.com loads a flash file from good.com, that Flash file can make HTTP requests with the browser's cookies back to good.com and read the response. There doesn’t seem to be any way to prevent this from good.com so long as it is serving the Flash file. With SWs, it seems like evil.com could register a SW that serves a non-existent malicious Flash file, appearing to come from good.com. From there, the Flash file can make requests to good.com and can read CSRF tokens or other sensitive information from the responses.  

Ben Toews
Received on Wednesday, 26 March 2014 12:03:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC