0

Service Workers allow intercepting requests. Which mean we can create virtual pages that only exists in the browser and not reached servers.

If we create such a virtual page (say /cooks), and set a cookie for /cooks, that cookie should not reach the servers provided that we only request the page after verifying service worker is indeed intercepting. We can do the verification (pre-request) before each request.

Steps would look like this

  1. Create a virtual page /cooks/get/randid using service workers.
  2. Set a cookie with the path set to this page.
  3. Load a temporary iframe with src=/cooks/get/randid
  4. There will be a script in the virtual page that reads document.cookie and communicate it with the parent.

This should create a cookie that is never sent to servers.

Why?

Longer lasting session storage that stays in memory (with session cookies).

Browser's session storage, even with a sharing mechanism like Broadcast Channel API only last until all tabs (of the same origin) are closed. But session cookies typically lasts until browser is closed entirely.

This allows closing and re-opening tabs and still having the data in session cookies.

Use Case

Caching encryption keys on client side storage temporarily, reducing writing those keys to disk as much as possible. Because session-cookies are (in most browser defaults) kept in memory.

To me it looks more like a cool idea than a foolproof mechanism but I want to hear your thoughts. Does it work as it looks to me?

Improve this question
6
  • 1
    What's your security question?
    – schroeder
    CommentedApr 24 at 8:06
  • @schroeder the question is, does this actually work as it looks. Or perhaps it belongs to stackoverflow?
    – Dana v
    CommentedApr 24 at 8:35
  • In what way is this a security question?
    – schroeder
    CommentedApr 24 at 9:31
  • It speaks to "securing" session data but in cookies?
    – Dana v
    CommentedApr 24 at 9:38
  • Securing it against what? What's the threat? "Does it work operationally/logically?" is not a security question. That's an operational/flow-logic question. The only security thing I see here is "I want to avoid writing keys to disk and keep it in memory". By avoiding writing to disk and keeping it in memory; you achieved your goal. My guess is that you are asking if this will "work", which is not a security question. "I want to keep my house key in a fake rock. Does this rock model I created look realistic?" -- that's a geology question, not a house security question.
    – schroeder
    CommentedApr 24 at 9:54
Load 6 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.