caches global property should not be available in Dedicated/Shared WorkerGlobalScope with {credentials: 'omit'}
#1721
Comments
BlobTheKat
changed the title
caches global property should not be available in Dedicated/Shared WorkerGlobalScope with {credentials: 'omit'}caches global property should not be available in Dedicated/Shared WorkerGlobalScope with {credentials: 'omit'}
|
I agree that all storage APIs should behave the same, so if there are cases where localstorage/indexedDB are not available cache storage probably should be rejecting as well; i.e. opaque origins would be one such case. I'm not sure where this behavior is defined for credentials: omit for indexedDB and localStorage? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Exposing access to
cacheswith{credentials: 'omit'}could allow an untrusted worker running on a web page to overwrite existing cache entries, where it could inject an arbitrary script that would be run the next time the page is loaded. Such a script would then have not just one-time but permanent access to the page's credentials.Currently both
localStorageandindexedDBare inaccessible for workers with this option, this should also be made the case forcachesThe text was updated successfully, but these errors were encountered: