Nice docs by @fugueish on service worker security considerations: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/security-faq/service-worker-security-faq …
Background Sync will allow one-shot wakeups. No ability to schedule arbitrary wakeups w/o user consent.
-
-
So if you're on a different network when connectivity is restored, you leak to site new IP address. Even if you never visit that site again.
-
You also leak to network operator that you previously visited that site due to DNS/SNI/etc. leaks.
- 11 more replies
New conversation -
-
-
The user isn't consenting if they're only accepting something like notifications, not background coarse location tracking via IP, etc.
-
Notifications / push != persistent, background application to an end user, even experts on web standards and security that missed this.
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.