[stackola]

That's not true, service workers still obey the cross-origin policy.

The only thing I can think of is, that a service worker has it's own CSP, as opposed to obeying the CSP of the registering script, but this service doesn't use CSP anyways.

[zawerf]

I meant all the pages published using this tool which are all at the same scope of: https://jstrieb.github.io/urlpages/#blahblah

That said I couldn't get it to work. You would need to be able to register a service worker file at something like https://jstrieb.github.io/urlpages/sw.js but all the pages you have control over have proper html mime type and are rejected when you try to register them (and have too much actual html junk in them to run as js files anyway).

[stackola]

You don't even need a service worker for that.

Just fetch it.

  fetch("https://jstrieb.github.io/")

So yea, other sites on his github pages are compromised, that's true.

[zawerf]

The (malicious) goal I had in mind with service workers is to rewrite all other published pages:

  self.addEventListener('fetch', event => {
    event.respondWith(
      new Response('<h1>I murder kittens for fun</h1>', {
        headers: {
          'Content-Type': 'text/html; charset=utf-8'
        }
      })    
    );
  })