Closed ymajoros closed 2 years ago
I haven't dug too deep yet but isn't this an API to unregister a service worker? https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerRegistration/unregister
Indeed, this mitigation won't work. I oversaw the registration itself and focused on https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorkerContainer . I'll rework this and focus on what can be guaranteed by specs.
I removed the part about service workers for now. I'll see if I can further improve it in another PR.
I moved the considerations about XSS to a general section: all architectures are concerned.
I added some words about bypassing the Service Worker: this would need a very broad successful XSS, with a much broader attack surface than what is typically the case. This can be mitigated by making sure that registering the service worker is the very first thing happening. There is also no API for unregistering a SW, so it can't be removed after the fact.