W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2014

Re: Service Workers serving Flash content

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 27 Mar 2014 15:20:25 +0000
Message-ID: <CADnb78jTA8t7qkD9A7nD8-fD7iaczxG1ZagfJtEHmBEz5frKjw@mail.gmail.com>
To: Ben Toews <btoews@github.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Mar 26, 2014 at 12:02 PM, Ben Toews <btoews@github.com> wrote:
> Has any thought been given to SWs serving up Flash files from other domains?
> Flash’s origin restrictions are opposite from the SOP. If evil.com loads a
> flash file from good.com, that Flash file can make HTTP requests with the
> browser's cookies back to good.com and read the response. There doesn’t seem
> to be any way to prevent this from good.com so long as it is serving the
> Flash file. With SWs, it seems like evil.com could register a SW that serves
> a non-existent malicious Flash file, appearing to come from good.com. From
> there, the Flash file can make requests to good.com and can read CSRF tokens
> or other sensitive information from the responses.

A service worker cannot do that. If you create the Flash file within
evil.com, it cannot appear as if it was from good.com. Having said, we
have not worked out the exact details of serving up responses, but
overwriting cross-origin URL space is not in the cards.

Received on Thursday, 27 March 2014 15:20:55 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC