Service Workers: an Introduction (opens in new tab)

W3C: "Service workers create the opportunity for a bad actor to turn a bad day into a bad eternity."[1] With service workers, cross-site scripting vulnerabilities are forever.

Service workers install by drive-by, which is troubling. In Firefox, check "about:serviceworkers" to see what you have installed. Take a look. You probably have far more service workers active than you thought. There are supposed to be enough cross-site scripting restrictions to keep service workers contained to their origin domain, but some holes have been found. There was a successful service worker attack on Dropbox, since fixed. "If you run a site that serves user files with secret URLs from a shared domain, you need to look out for the Service-Worker: script HTTP header; if you see it, run for the hills."[2]

If an attacker can get one page loaded from a site being attacked, they then own all traffic between the user and the site. This has lots of attack potential.

[1] https://www.w3.org/TR/service-workers/#security-consideratio... [2] https://alf.nu/ServiceWorker

Chrome also has chrome://serviceworker-internals.

I have no idea why Hampton Farms saw it fit to install a service worker. Furthermore, this isn't gated by a permission dialog like location services or plugin access?

Note that this is the low-level API. For most people, I think, the recommended approach is to use libraries instead. Google itself has released sw-toolbox and sw-precache. There’s also a web-push server module for push messages.

You gotta see the humor in Google being of the opinion that a "service worker is a script". I mean, we've all kinda expected that Larry Page is under the assumption that we're all just subroutines running in his "matrix", but now it's official.

This seems like a security nightmare. I sincerely hope there's a way to just turn off "offline experience" in Chrome before service workers become widespread. The browser is a dangerous place to execute software. I suppose native apps can be just as insecure, but I worry about an ecosystem with many neighbors (web apps, extensions, plugins, add-ons, etc) running in the same process. It's much more likely one web app can steal my passwords from LastPass, for example, without knowing it. The chain of vectors just feels really dangerous.

Oops. I thought this might be an attempt at rapprochement with their janitorial staffs. Perhaps the wrong nomenclature for our new era.

Regarding HTTPs: there is https://test.bi

I haven't read the specs, can you spawn multiple service workers on a single page ?

If yes, what are the security measures to stop a rogue site to blow up your browser ?

How can I protect my browser against these things?

this seems unnecessary as you need a html file and browser to bootstrap anyway. There is more to it though, it can continue to run after the browser has exited and intercept push mesages.