Abusing Service Workers API

Akamai security intelligence & threat research published on Abusing the Service Workers API. page

Rather surprised to find 18 Service Workers on my Macbook. Holy catchfish eighteen trackers, who never asked permission to install analytics...

AFAIK only Google and digital news and magazines such as CNN and Diginomica are using service workers for analytics web tracking.

How many service workers do you have on your machine--are any surprising?

18 Service Workers on MBP

Abuse scenarios: Response Modification

Service workers could install analytics without asking for authority to do so. Implementation is left to the site publisher [Accept All Cookies?]

Accept All Cookies?

Service workers are probably skirting security, because installation of PWAs requires the user to install. Apparently analytics tracking does not. Maybe how Google and magazine denying adtech intend to continue analytics after cross-site cookies are deprecated...(my SWAG).

Chrome browser tightening up strictness.

Install Diginomica (install the diginomica.app into enclave)

Service worker complaints on twitter related to the spec... >Chris Thoburn >@Runspired >Dear @Twitter, > >ServiceWorker is a horribly broken technology. Your current implementation leaves twitter.com unusable on Chrome or Safari nearly daily, partially because the spec itself is bad. > >4:09pm · 10 Apr 2020 · Twitter Web App >4 Replies. 5 Retweets. 16 Likes

>Chris Thoburn @Runspired >Apr 10 >Dear @googlechrome, > >Similarly, please let us disable all ServiceWorkers as a feature. I literally never want one on my machine. Thanks.