
New browser attack lets hackers run bad code even after users leave a web page - tambourine_man
https://www.zdnet.com/article/new-browser-attack-lets-hackers-run-bad-code-even-after-users-leave-a-web-page/
======
olliej
This is the exact attack that led to the delayed addition of service workers
to safari and webkit. It’s why the shipped version is (to quote people on
Twitter) “crippled” and doesn’t allow persistence of workers.

Service workers are, and shall remain, a terrible feature. The basic problem
is that web navigation doesn’t involve any explicit signal by the user that
they want persistent execution - installing an app locally provides that
signal.

~~~
tambourine_man
>installing an app locally provides that signal

While running, yes. But as soon as we get demons all intuitions are lost

~~~
olliej
Yes, but there’s a huge signal that the user wants something to run outside of
the context of the current web page.

Service workers allow drive by installation semi-persistent malware. Not as
bad as actual downloaded software malware, but on the other hand it doesn’t
require user action to start.

The signal from user downloading and running something is that they no longer
associate what the app is doing with the existence of that tab.

This step also means that while strictly more powerful the OS can enforce
other restrictions to limit damage (as much as possible when users insist on
disabling protections).

Again, service workers don’t have that signal, asking in a dialog is not
useful, and by design they are user hostile - web developers wanted these
features to support use cases that aren’t super compelling.

