Add a Service-Worker-Exclude Header #1690
Comments
|
A service worker is controlled by the same origin that you’re sending the request to. What’s being imagined here, exactly? It seems considerably more shaky at a glance to me to suggest requests from a different origin should be able to choose to bypass internal aspects of that origin’s own implementation of its endpoints. |
|
That's not what I'm proposing. I'm proposing that, when an origin installs it's worker, a I do have a use-case where this would be useful, by allowing me to make sure the client side of my application won't be able to intercept a request to a specific location on my applications origin. But that is just a use-case, something this would be useful for, not the proposal itself. |
I'm currently developing an SSO solution, and ran into some difficulties: https://github.com/Daniel-Abrecht/dpa-sso#security-relevant-limitations
To sum it up, I can't rely on cross origin cookies to store a session token, because browsers allow disabling them nowadays. For that reason, I pass it to a well known location at the origin which needs the token as a get parameter. If that origin has a service worker installed, it could intercept that token. For some applications, that may be desirable, but for others, it could be problematic.
I'm still looking for a safer way to pass the token, but it would be nice to also have a way to prevent a service worker from handling requests to certain locations too.
For that reason, I propose adding a
Service-Worker-Excludeheader, that would have some similarities to theService-Worker-Allowedheader. I would like it to work as follows.Service-Worker-Excludeshould contain a list of locations who will not be handled by the service worker and just bypass it entirely. It should be set when installing the service worker. That way, I could, for example, make sure the entire/.well-known/directory won't be handled by a service worker.The text was updated successfully, but these errors were encountered: