Path-based scope restrictions?

/app/ could just embed an and install it there.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>(As for reasoning about URL paths, per the URL standard a URL path is a sequence, so we have that underlying concept already.)</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jakearchibald"><img src="https://avatars.githubusercontent.com/u/93594?v=4" />jakearchibald</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p><code>googledrive.com</code> would benefit from something like this… or they should just do what everyone else does and give subdomains to each user.</p> <blockquote> <p>We'd have to change the meaning of the default scope from "<em>" "the current path minus any terminal location + "/</em>""</p> </blockquote> <p>If we did something like this, wouldn't it be better to enforce scope equal to, or a subset of <code>"*"</code> resolved against the service worker script url?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/johnmellor"><img src="https://avatars.githubusercontent.com/u/563043?v=4" />johnmellor</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>Restricting scopes based on the URL of the current page can be trivially bypassed, either by using history.pushState to change the URL of the page (within the same origin), or by opening a new window/iframe at the desired (same origin) URL and then injecting JS to that frame.</p> <p>It would however be possible to restrict scopes based on the URL <em>of the Service Worker script</em> (that's what I was suggesting <a href="https://github.com/slightlyoff/ServiceWorker/issues/224#issuecomment-41112782">on issue 224</a>).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/slightlyoff"><img src="https://avatars.githubusercontent.com/u/97331?v=4" />slightlyoff</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>This wouldn't be trivially by-passable. The original URL of the loaded document would be remembered and checked by the algorithm. Unsure why you assumed otherwise?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/johnmellor"><img src="https://avatars.githubusercontent.com/u/563043?v=4" />johnmellor</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>That would stop you using history.pushState, but it wouldn't stop you opening a new window/iframe at the desired URL and then injecting JS to that frame, unless you're proposing that we follow the frame tree and window.opener hierarchy all the way back to the first page loaded from that origin?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/slightlyoff"><img src="https://avatars.githubusercontent.com/u/97331?v=4" />slightlyoff</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>It has always been possible for pushState() misuse to create requests that fall outside a given registration. Don't Do That (TM). The only fix would be to only allow origin-wide registrations, and we're not going to do that.</p> <p>On Tue, May 13, 2014 at 2:34 PM, John Mellor notifications@github.comwrote:</p> <blockquote> <p>That would stop you using history.pushState, but it wouldn't stop you opening a new window/iframe at the desired URL and then injecting JS to that frame, unless you're proposing that we follow the frame tree and window.opener hierarchy all the way back to the first page loaded from that origin?</p> <p>— Reply to this email directly or view it on GitHubhttps://github.com/slightlyoff/ServiceWorker/issues/253#issuecomment-43016195 .</p> </blockquote> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/devd"><img src="https://avatars.githubusercontent.com/u/136985?v=4" />devd</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>I think you said it best when you created this issue: "at some level, this is security theater, but is it still meaningful"</p> <p>It would be nicer if we can get a better sense of what use-cases path-based restrictions achieve today. For example, in the Google Drive case, the user isn't allowed to upload arbitray JS. If user is allowed to upload and inject arbitrary JS, the attacks John points out already are ridiculously powerful. I guess the SW allows you to make a longer-lived attack. But this is already a problem for applications like Google Drive. (e.g., <a href="http://devd.me/papers/w2sp10-primitives.pdf">http://devd.me/papers/w2sp10-primitives.pdf</a>)</p> <p>More than security, I am worried about this restriction unnecessarily making serviceworkers onerous to use. This restriction assumes that slashes in URIs have some meaning but this isn't the case. For example, slashes in URIs don't need to correspond to actual folders and might be query parameters for all we know. Now, if user visits (via a direct link) example.com/param1/param2/, this page can't register a SW for example.com/param3/param4/ even thought they are all served by example.com/index.php. This seems wrong.</p> <p>If we are really really worried about this, we can allow the website to opt-in to this behavior via some HTTP header based mechanism. But, I think, that should be solved as part of the broader question of how/what CSP policies would allow a security team to reason about and control service worker registrations.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/slightlyoff"><img src="https://avatars.githubusercontent.com/u/97331?v=4" />slightlyoff</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>I agree; both about path restriction being onerous and about them presenting a strange model that doesn't necessarily match any other restriction we impose anywhere in the platform.</p> <p>@jakearchibald suggested a clever middle-ground for winnowing down the set of unintended serviceworker installations: require a valid script mime type. Combined with a a header (CSP extension?) that allows us to disable/prevent SW registrations, I think this covers a great deal of the risk. In the case where there's a site like googleusercontent or github.io, they should blanket-send the SW-disabling CSP rule. In less multi-user origins, the mimetype restriction can prevent transient content (a comment stream or a JSON/image document) from being abused to create longer-term pwnage of a site that legitimately wants to enable Service Workers but might worry about how they might be used to pry open the window of vulnerability.</p> <p>WDYT?</p> <p>On Tue, May 13, 2014 at 5:49 PM, Devdatta Akhawe notifications@github.comwrote:</p> <blockquote> <p>I think you said it best when you created this issue: "at some level, this is security theater, but is it still meaningful"</p> <p>It would be nicer if we can get a better sense of what use-cases path-based restrictions achieve today. For example, in the Google Drive case, the user isn't allowed to upload arbitray JS. If user is allowed to upload and inject arbitrary JS, the attacks John points out already are ridiculously powerful. I guess the SW allows you to make a longer-lived attack. But this is already a problem for applications like Google Drive. (e.g., <a href="http://devd.me/papers/w2sp10-primitives.pdf">http://devd.me/papers/w2sp10-primitives.pdf</a>)</p> <p>More than security, I am worried about this restriction unnecessarily making serviceworkers onerous to use. This restriction assumes that slashes in URIs have some meaning but this isn't the case. For example, slashes in URIs don't need to correspond to actual folders and might be query parameters for all we know. Now, if user visits (via a direct link) example.com/param1/param2/, this page can't register a SW for example.com/param3/param4/ even thought they are all served by example.com/index.php. This seems wrong.</p> <p>If we are really really worried about this, we can allow the website to opt-in to this behavior via some HTTP header based mechanism. But, I think, that should be solved as part of the broader question of how/what CSP policies would allow a security team to reason about and control service worker registrations.</p> <p>— Reply to this email directly or view it on GitHubhttps://github.com/slightlyoff/ServiceWorker/issues/253#issuecomment-43031014 .</p> </blockquote> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/devd"><img src="https://avatars.githubusercontent.com/u/136985?v=4" />devd</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>sounds good to me. </p> <p>Heck, regardless of whether we believe this is sufficient for fixing this issue (#253), I believe the spec should insist on the right mime-type for a SW script. The origin restriction doesn't amount for much without it.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jakearchibald"><img src="https://avatars.githubusercontent.com/u/93594?v=4" />jakearchibald</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>Appcache may limit the scope of FALLBACK by the location of the manifest <a href="https://www.w3.org/Bugs/Public/show_bug.cgi?id=25699">https://www.w3.org/Bugs/Public/show_bug.cgi?id=25699</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/devd"><img src="https://avatars.githubusercontent.com/u/136985?v=4" />devd</a> commented <strong> 10 years ago</strong> </div> <div class="markdown-body"> <p>@jakearchibald Seems like same argument against path-based mechanism that applied to SW applies to Appcache too.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/jakearchibald"><img src="https://avatars.githubusercontent.com/u/93594?v=4" />jakearchibald</a> commented <strong> 9 years ago</strong> </div> <div class="markdown-body"> <p>We shipped path-based restrictions</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

w3c / ServiceWorker

Path-based scope restrictions? #253