Push requests only exists on Chrome and is behind a permission, intercepting resource requests within the domain of a website could cause some annoyances, can’t see the malware effect immediately. Scheduling a download for a stable connection, again, could be an annoyance, but what’s the malware implication?
The malware angle is basically service-worker-powered cache poisoning: if you can get the server to serve your code once, users can get a service worker installed, and intercept resource requests under that path. It’s limited in practical value because you have to be able to serve a full JS file as the service worker, rather than just injecting a snippet of JS as the most common technique is, but it is a genuine attack vector.
Service workers automatically reload after 24 hours, regardless of caching headers (though I believe they’ll respect a 304). I believe this was done partially to limit the duration of such a compromise.
I don't want to be compromised at all and it seems like a great way keep it that way is to force web pages to live in you know pages which I can close and know they aren't effecting my browser.
It also breaks my mental model of how the browser works in a way that will be incomprehensible to users.
Instead of my computer is acting funny I need to reboot we will have my browser is acting funny I need to restart it or we can combine the 2.
My browser is acting funny lets power cycle again. Coming soon to a windows PC near you.
Unless there’s a sandbox escape, the worst it could do is use some extra CPU cycles and RAM. It’s not good at doing stuff like bitcoin mining because it’s event driven (much more like a page than a web worker). All the browsers are also very aggressive at killing them unless a page is open or you get a push notification.
