Hacker News new | past | comments | ask | show | jobs | submit login

"Imagine being able to respond to push notifications, intercept resource requests, and schedule background syncronization, all without the need for a user to actively have your website open in front of them."

".. by authoring special-purpose JavaScript which you register with the browser."

Why does this seem like something useful for malware and generally annoying me.




Push requests only exists on Chrome and is behind a permission, intercepting resource requests within the domain of a website could cause some annoyances, can’t see the malware effect immediately. Scheduling a download for a stable connection, again, could be an annoyance, but what’s the malware implication?


The malware angle is basically service-worker-powered cache poisoning: if you can get the server to serve your code once, users can get a service worker installed, and intercept resource requests under that path. It’s limited in practical value because you have to be able to serve a full JS file as the service worker, rather than just injecting a snippet of JS as the most common technique is, but it is a genuine attack vector.


Service workers automatically reload after 24 hours, regardless of caching headers (though I believe they’ll respect a 304). I believe this was done partially to limit the duration of such a compromise.


I don't want to be compromised at all and it seems like a great way keep it that way is to force web pages to live in you know pages which I can close and know they aren't effecting my browser.

It also breaks my mental model of how the browser works in a way that will be incomprehensible to users.

Instead of my computer is acting funny I need to reboot we will have my browser is acting funny I need to restart it or we can combine the 2.

My browser is acting funny lets power cycle again. Coming soon to a windows PC near you.


Unless there’s a sandbox escape, the worst it could do is use some extra CPU cycles and RAM. It’s not good at doing stuff like bitcoin mining because it’s event driven (much more like a page than a web worker). All the browsers are also very aggressive at killing them unless a page is open or you get a push notification.


People are bad at managing permissions. Making people's security depend on responding reasonably to a dialog box nearly always ends in tears.

If I popped up a dialog box asking to harvest a kidney 30% of users would click yes.


Most new web features seem to enable malware and other scummy thing all to promote the web as an app platform.

I would we rather leave http to be a document model, and create something new and better to support"web-based" apps.


Open up about:serviceworkers and observe the wonders of cookies 2.0

Kinda sucks that something with such promise is predominantly used as just another weapon for tracking.


Service Workers isn't a new persistence mechanism, it uses existing ones.


Does it? It can access them, but clearing the existing ones doesn't necessarily clear the SW I think?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: