Service Workers Used For Malvertising
Reported by
giffinj....@shdhs.org,
Apr 9 2018
|
|||
Issue descriptionChrome Version: 65.0.3325.184 (Official Build) (64-bit) <b>Chrome OS Version: <From about:version: Platform x.x.x.x></b> Chrome OS Platform: 10323.62.0 (Official Build) stable-channel ultima <b>Network info: <network, encryption type, router model (if known)></b> Please see https://framework.realtime.co/demo/web-push/. Notice how the service workers can be used for pushing notifications while the page is not open. This functionality is abused on the Chromebooks of everyone in my organization for malvertising. Please fix.
,
Apr 9 2018
My own thoughts on the topic are to simply dump the service workers memory files to the disk when there are no tabs or iframes pointing to pages on that service workers website. One potential way this could be done is tying into the garbage collection service to make a save of all the variables in the service worker's scopes. Then, when the user opens a tab to that page or an iframe points to that page, the service worker is resumed from disk-based hibernation and is runned to handle that page. Doing this will solve the problem and make Chrome run incredibly faster.
,
Apr 9 2018
,
Apr 9 2018
Push notifications via service workers are an intentional feature. The user must grant permission to the site explicitly, and there is UI to revoke permissions built into the notifications. |
|||
►
Sign in to add a comment |
|||
Comment 1 Deleted