Skip to content

Commit 9d3e340

Browse files
t2ymt2ym
committed
[README] Update README for Fix #368 Check Service Worker cache integrity
1 parent 288e4b4 commit 9d3e340

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

README.md

+2
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ Thin Hook Preprocessor (experimental)
99

1010
## Notes
1111

12+
- **[Vulnerability Fix]** Since [0.4.0-alpha.24](https://github.com/t2ym/thin-hook/releases/tag/0.4.0-alpha.24) with [Fix #368 Check Service Worker cache integrity](https://github.com/t2ym/thin-hook/issues/368), integrity of Service Worker cache contents is verified with HMAC keys. Prior to this version, corrupted Service Worker cache contents can intrude into the application.
1213
- **[Vulnerability Fix]** Since [0.4.0-alpha.22](https://github.com/t2ym/thin-hook/releases/tag/0.4.0-alpha.22) with [Fix #363 Block blob URLs](https://github.com/t2ym/thin-hook/issues/363), blob URLs are blocked except for `<a download="filename" href="blob:...">Download Link</a>`. Prior to this version, documents with blob URLs bypass Service Worker.
1314
- **[Vulnerability Fix]** Since [0.4.0-alpha.22](https://github.com/t2ym/thin-hook/releases/tag/0.4.0-alpha.22) with [Fix #362 Option to block `<embed>` and `<object>` elements](https://github.com/t2ym/thin-hook/issues/362), the application hangs up on `<embed>` and `<object>` activities with `hook.parameters.hangUpOnEmbedAndObjectElement = true`. Prior to this version, `<embed>` and `<object>` documents can bypass Service Worker with Chrome Canary 86.
1415
- **[Vulnerability Fix]** Since [0.4.0-alpha.21](https://github.com/t2ym/thin-hook/releases/tag/0.4.0-alpha.21) with [Fix #355 Treat proxy objects as alias objects in ACL](https://github.com/t2ym/thin-hook/issues/355), ACL is properly applied for proxy objects created via `new Proxy(target, handler)` and `Proxy.revocable(target, handler)` as with their original `target` objects. Prior to this version, ACL for the `target` objects are not applied to proxy objects.
@@ -1131,6 +1132,7 @@ To achieve this, the static entry HTML has to be __Encoded__ at build time by `h
11311132
- Check integrity of requests and responses
11321133
- Encrypt request body data
11331134
- Decrypt response body data
1135+
- Check integrity of Service Worker cache contents by appending and verifying `x-cache-*` headers
11341136
- TBD
11351137
- Configurations
11361138
- TBD

0 commit comments

Comments
 (0)