Re: Request for input on Foreign Fetch

Hi,


It may be already dealt with - but I can see 2 concerns

1) How do you know who is asking for the resource - these isn't an obvious
way to identify them. What data will be passed into the event that allows
that? I can see it would be useful to have some caller identification.

2) If I've been hacked 'once' and a bad guy installs a service worker does
this let them mess with my traffic for an extended period.

Ben Gidley

On Thu, 28 Jan 2016 at 05:18 Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 28 January 2016 at 06:08, Anne van Kesteren <annevk@annevk.nl> wrote:
> > I meant the latter. We would not issue an OPTIONS fetch. CORS OPTIONS
> > is a check to see if the server is CORS-aware. Here the service worker
> > obviously is aware of cross-origin fetches.
>
> Ack, thanks.  That leaves the question of ambient authority and I
> think for that you already have your answer and you just aren't happy
> with it :)
>
> Namely, opting in to foreign fetch for a given path prefix (or scope)
> is an implicit acceptance of the use of ambient authority for all
> those intercepted requests.  Suppressing credentials and reducing
> visibility would be the responsibility of the SW using explicit
> controls, not the browser using implicit inference.
>
> Ultimately, I think that's a nice outcome.
>
> Can then we reduce this problem to one of developer education?
>
> --
Ben Gidley
ben@gidley.co.uk

Received on Thursday, 28 January 2016 11:34:21 UTC