(In reply to Tomislav Jovanovic :zombie from comment #1)
Thank you for the detailed explanation and PoC.
(In reply to Jake Heath from comment #0)
This would allow extension developers to monitor all HTTP traffic from that domain
In order to install a ServiceWorker for the origin, the extension already needs all permissions which would allow it to "monitor all traffic".
You're correct here. The main point of the issue though is the persistence, maybe a title change is needed. After the extension is uninstalled, the ServiceWorker remains.
Since the ServiceWorker can be installed with any random query parameter, as demonstrated in the code, this is also extremely difficult for the true owners of the domain to remove the ServiceWorker from the user's browser.
I managed to unregister it via the console by reading
navigator.serviceWorker.controller and creating a new ServiceWorkerRegistration with the same
O neat, I didn't know of this API. That would help domain owners remove these extensions programmatically.
huh, I guess this is step 7 from the update fetch algorithm:
I'm not that familiar with the ServiceWorkers design, but this seems like a foot gun for websites using them even without any malicious extensions. It looks like deleting the whole website and turning it into static content would keep the service worker alive forever, since those request would likely return a
text/html 404 error page.
If we want to mitigate that without changing the API, then we could consider adding a flag to service workers whose response have been tainted by the webRequest.filterResponseData / StreamFilter API, and forcibly unregister such service workers upon extension uninstall.
Agreed, I think the fix should be that ServiceWorkers injected via extensions should be unloaded when the extension is unloaded. This sounds like a difficult engineering effort, but one that would be worth it. I can think of so many avenues for extensions to abuse this functionality to leak information about user's who install their extension and I think it would be incredibly difficult to put this burden on domain owners to regularly check for malicious ServiceWorkers that have been installed on the domain.