Joseph Garrone
Joseph Garrone
Hello @pvnt, Thank you for your PR! Before I proceed with merging, I want to ensure I fully understand how this change will benefit your use case. Beside there might...
@pvcnt You're absolutely right about everything. I've realized that the WebWorker support offered doesn't work in dev mode. Since I haven't been using web workers in my recent projects, this...
Hello @melishev, Thank you for your kind feedback. While I could obfuscate it further, I don’t believe it would provide any meaningful security benefits. At best, it might slightly increase...
I'll see what I can do but this isn't easy. It requires an important rewrite.
Brilliant @bakkot, Thank you very much. This is embarassing for me but I'm very happy you reported it! This is specially critical since this approach enables to bypass the host...
> You also need to include workers in the threat model, not just iframes, for similar reasons. Well, I do limit SW registration: https://github.com/keycloakify/oidc-spa/blob/29f1a43ba497fe177df3d4299a45022ce70dba07/src/core/tokenExfiltrationDefense.ts#L801-L802 So if the worker itself bundles...
Yeah, for Web Workers I'm okay leaving that to CSP. Service Workers, are extremely sensitive, they can be abused by untargeted supply-chain or XSS attacks for token exfiltration, so oidc-spa...
I hope I didn't miss anything.
> Second example in the OP still works My god, you're right. I went through several iterations yesterday and the addition of `URL` to the list of builtins to freeze...
Well...I can't thank you enough @bakkot, I've addressed this specific concern. There's probably other angles but I'm already very greatfull for the vectors you had me patch. Of course if...