Service Workers: an Introduction

W3C: &quot;Service workers create the opportunity for a bad actor to turn a bad day into a bad eternity.&quot;[1] With service workers, cross-site scripting vulnerabilities are forever.<p>Service workers install by drive-by, which is troubling. In Firefox, check &quot;about:serviceworkers&quot; to see what you have installed. Take a look. You probably have far more service workers active than you thought. There are supposed to be enough cross-site scripting restrictions to keep service workers contained to their origin domain, but some holes have been found. There was a successful service worker attack on Dropbox, since fixed. &quot;If you run a site that serves user files with secret URLs from a shared domain, you need to look out for the Service-Worker: script HTTP header; if you see it, run for the hills.&quot;[2]<p>If an attacker can get one page loaded from a site being attacked, they then own all traffic between the user and the site. This has lots of attack potential.<p>[1] <a href="https:&#x2F;&#x2F;www.w3.org&#x2F;TR&#x2F;service-workers&#x2F;#security-considerations" rel="nofollow">https:&#x2F;&#x2F;www.w3.org&#x2F;TR&#x2F;service-workers&#x2F;#security-consideratio...</a> [2] <a href="https:&#x2F;&#x2F;alf.nu&#x2F;ServiceWorker" rel="nofollow">https:&#x2F;&#x2F;alf.nu&#x2F;ServiceWorker</a>

Chrome also has chrome:&#x2F;&#x2F;serviceworker-internals.<p>I have no idea why Hampton Farms saw it fit to install a service worker. Furthermore, this isn&#x27;t gated by a permission dialog like location services or plugin access?

Note that this is the low-level API. For most people, I think, the recommended approach is to use libraries instead. Google itself has released sw-toolbox and sw-precache. There’s also a web-push server module for push messages.

You gotta see the humor in Google being of the opinion that a &quot;service worker is a script&quot;. I mean, we&#x27;ve all kinda expected that Larry Page is under the assumption that we&#x27;re all just subroutines running in his &quot;matrix&quot;, but now it&#x27;s official.

This seems like a security nightmare. I sincerely hope there&#x27;s a way to just turn off &quot;offline experience&quot; in Chrome before service workers become widespread. The browser is a dangerous place to execute software. I suppose native apps can be just as insecure, but I worry about an ecosystem with many neighbors (web apps, extensions, plugins, add-ons, etc) running in the same process. It&#x27;s much more likely one web app can steal my passwords from LastPass, for example, without knowing it. The chain of vectors just feels really dangerous.

Oops. I thought this might be an attempt at rapprochement with their janitorial staffs. Perhaps the wrong nomenclature for our new era.

Regarding HTTPs: there is <a href="https:&#x2F;&#x2F;test.bi" rel="nofollow">https:&#x2F;&#x2F;test.bi</a>

I haven&#x27;t read the specs, can you spawn multiple service workers on a single page ?<p>If yes, what are the security measures to stop a rogue site to blow up your browser ?

How can I protect my browser against these things?

this seems unnecessary as you need a html file and browser to bootstrap anyway. There is more to it though, it can continue to run after the browser has exited and intercept push mesages.