Backdoor Service Workers

When I was moderating that panel at the Progressive Web App dev Summit, I brought up this point about twenty minutes in:

Alex, in your talk yesterday you were showing the AMP demo there with the Washington Post. You click through and there’s the Washington Post AMP thing, and it was able to install the Service Worker with that custom element. But I was looking at the URL bar …and that wasn’t the Washington Post. It was on the CDN from AMP. So I talked to Paul Backaus from the AMP team, and he explained that it’s an iframe, and using an iframe you can install a Service Worker from somewhere else.

Alex and Emily explained that, duh, that’s the way iframes work. It makes sense when you think about it—an iframe is pretty much the same as any other browser window. Still, it feels like it might violate the principle of least surprise.

Let’s say you followed my tongue-in-cheek advice to build a progressive web app store. Your homepage might have the latest 10 or 20 progressive web apps. You could also include 10 or 20 iframes so that those sites are “pre-installed” for the person viewing your page.

Enough theory. Here’s a practical example…

Suppose you’ve never visited the website for my book, html5forwebdesigners.com (if you have visited it, and you want to play along with this experiment, go to your browser settings and delete anything stored by that domain).

You happen to visit my website adactio.com. There’s a little blurb buried down on the home page that says “Read my book” with a link through to html5forwebdesigners.com. I’ve added this markup after the link:

<iframe src="https://html5forwebdesigners.com/iframe.html" style="width: 0; height: 0; border: 0">
</iframe>

That hidden iframe pulls in an empty page with a script element:

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>HTML5 For Web Designers</title>
<script>
if ('serviceWorker' in navigator) {
  navigator.serviceWorker.register('/serviceworker.js');
}
</script>
</head>
</html>

That registers the Service Worker on my book’s site which then proceeds to install all the assets it needs to render the entire site offline.

There you have it. Without ever visiting the domain html5forwebdesigners.com, the site has been pre-loaded onto your device because you visited the domain adactio.com.

A few caveats:

  1. I had to relax the Content Security Policy for html5forwebdesigners.com to allow the iframe to be embedded on adactio.com:

    Header always set Access-Control-Allow-Origin: "https://adactio.com"

  2. If your browser’s settings has “Block third-party cookies and site data” selected in the preferences, the iframe-invoked Service Worker won’t install:

    Uncaught (in promise) DOMException: Failed to register a ServiceWorker: The user denied permission to use Service Worker.

The example I’ve put together here is relatively harmless. But it’s possible to imagine more extreme scenarios. Imagine there’s a publishing company that has 50 websites for 50 different publications. Each one of them could have an empty page waiting to be embedded via iframe from the other 49 sites. You only need to visit one page on one of those 50 sites to have 50 Service Workers spun up and caching assets in the background.

There’s the potential here for a tragedy of the commons. I hope we’ll be sensible about how we use this power.

Just don’t tell the advertising industry about this.

Have you published a response to this? :

Responses

Webrocker

(…) Just don’t tell the advertising industry about this. (…)adactio.com

Ouch. Good find, Jeremy.

# Posted by Webrocker on Thursday, July 7th, 2016 at 5:02pm

Hidde

“There you have it. Without ever visiting the domain, the site has been pre-loaded onto your device” adactio.com/journal/10924

# Posted by Hidde on Monday, August 8th, 2016 at 10:29am

2 Shares

# Shared by Claudio (aglioeolio) on Thursday, July 7th, 2016 at 4:16pm

# Shared by Jay Wintermeyer on Wednesday, March 6th, 2019 at 6:38pm

4 Likes

# Liked by Jan Skovgaard on Thursday, July 7th, 2016 at 5:03pm

# Liked by Front-End Front on Sunday, July 10th, 2016 at 9:26pm

# Liked by Beth Dean on Wednesday, March 6th, 2019 at 7:08pm

# Liked by Jay Wintermeyer on Wednesday, March 6th, 2019 at 7:08pm

Related posts

Trust

I’m trying to understand why developers would trust third-party code more than a native browser feature.

When service workers met framesets

The browser equivalent of a Roman legion showing up in a space opera.

Am I cached or not?

Complementing my site’s service worker strategy with an extra interface element.

Move Fast and Don’t Break Things by Scott Jehl

A presentation at An Event Apart Seattle 2019.

New tools for art direction on the web

Variable fonts + CSS grid + service workers

Related links

minimum interesting service worker

An interesting idea from Tantek for an offline page that links off to an archived copy of the URL you’re trying to reach—useful for when you’re site goes down (though not for when the user’s internet connection is down).

Tagged with

It’s Time to Build a Progressive Web App. Here’s How – The New Stack

Much as I appreciate the optimism of this evaluation, I don’t hold out much hope that people’s expectations are going to change any time soon:

Indeed, when given a choice, users will opt for the [native] app version of a platform because it’s been considered the gold standard for reliability. With progressive web apps (PWAs), that assumption is about to change.

Nonetheless, this is a level-headed look at what a progressive web app is, mercifully free of hand-waving:

  • App is served through HTTPS.
  • App has a web app manifest with at least one icon. (We’ll talk more about the manifest shortly.)
  • App has a registered service worker with a fetch event handler. (More on this later too.)

Tagged with

Streets Series’ Articles - DEV Community 👩‍💻👨‍💻

This is a really excellent four-part series on web performance that really dives into the technical details and asks all the right questions:

  1. Making the world’s fastest website, and other mistakes
  2. The weirdly obscure art of Streamed HTML
  3. Speed Needs Design, or: You can’t delight users you’ve annoyed
  4. Routing: I’m not smart enough for a SPA

Tagged with

How to make MPAs that are as fast as SPAs | Go Make Things

The headline is a little misleading because if you follow this advice, your multi-page apps will be much much faster than single page apps, especially when you include that initial page load of a single page app.

Here’s a quick high-level summary of what I do…

  1. Serve pre-rendered, mostly static HTML.
  2. Inline everything, including CSS and JavaScript.
  3. Use mostly platform-native JavaScript, and as little of it as possible.
  4. Minify and gzip all the things.
  5. Lean heavily on service workers.

That’s an excellent recipe for success right there!

Tagged with

Now THAT’S What I Call Service Worker! – A List Apart

This is terrific! Jeremy shows how you can implement a fairly straightforward service worker for performance gains, but then really kicks it up a notch with a recipe for turning a regular website into a speedy single page app without framework bloat.

Tagged with

Previously on this day

15 years ago I wrote Misunderstanding markup

The death of XHTML has been greatly exaggerated.

17 years ago I wrote Typing up

Calculating vertical rhythm and horizontal alignment.

17 years ago I wrote Charlie Romeo Alpha Zebra Yankee

Never a dull moment.

19 years ago I wrote I'm okay

Following the attacks in London this morning, I’ve had messages from friends abroad asking if I’m alright. Thank you all for your concern. I’m fine.

22 years ago I wrote Whorechalking

Tom Coates has put together a site detailing the next logical step up from Warchalking.