On 9/20/17 12:17, Ted Hardie wrote:
That there is no intent to allow that information to be further
propagated is certainly useful to know, but if I understand you (and
Adam) correctly, this problem must be handled somewhere because of the
intersection of this proposal and JavaScript capabilities in a modern
browser.
This can be done with or without any work in the IETF. If the hack mnot
describes is possible[1], then having a standardized format for
launching such queries (rather than doing the *exact* same thing in a
proprietary syntax) neither helps nor hinders the attack.
That said, I want to stress quite heavily that I don't think this kind
of attack is possible due to the scoping rules around which resources a
service worker is allowed to handle.
/a
____
[1] I'm extremely dubious that this could be pulled off even for normal
resources; for HTTPS-secured resources, replacing the host with the
result of DNS resolution would cause cert validation to fail, so it
definitely can't be mounted there.