-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exposing Sec-Fetch
headers to Service Workers via Request().Headers()
#38
Comments
In Chrome, we've modeled these headers as being attached at the time we hit the network, so they're not visible in Service Workers. This would be a little bit hard to change given the point at which we attack /cc @anforowicz. |
Yeah, if we do this, the |
Authors can use Service Workers and the Cache API to serve responses from the cache in a SW; when this happens an attacker may be able to make a request to the target origin and have the response served by that origin's SW. If a response was previously cached for a
same-origin
request, but the SW responds with the same data to across-site
request, it could return a sensitive resource to the attacker, allowing her to learn information via the usual information leak vectors.Should we consider exposing the values of
Sec-Fetch-*
headers via the Headers() API to allow developers to implement logic in SWs similar to what they may have server-side? I think this should be safe, but we should definitely think about this.The text was updated successfully, but these errors were encountered: