aaronpk
commented
2 years ago I haven't dug too deep yet but isn't this an API to unregister a service worker? https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerRegistration/unregister
Closed ymajoros closed 2 years ago
aaronpk
commented
2 years ago I haven't dug too deep yet but isn't this an API to unregister a service worker? https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerRegistration/unregister
ymajoros
commented
2 years ago Indeed, this mitigation won't work. I oversaw the registration itself and focused on https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerContainer . I'll rework this and focus on what can be guaranteed by specs.
ymajoros
commented
2 years ago I removed the part about service workers for now. I'll see if I can further improve it in another PR.
I moved the considerations about XSS to a general section: all architectures are concerned.
I added some words about bypassing the Service Worker: this would need a very broad successful XSS, with a much broader attack surface than what is typically the case. This can be mitigated by making sure that registering the service worker is the very first thing happening. There is also no API for unregistering a SW, so it can't be removed after the fact.