javascripthttp-headersservice-workerspectresharedarraybuffer

Using service worker to enable COOP/COEP headers : security concerns?


I'm unable to access my server to enable COOP and COEP headers, but I was able to add them via service worker by using the following script https://github.com/gzuidhof/coi-serviceworker, which registers a service worker that has the headers active.

I need COOP and COEP to enable SharedArrayBuffer, which is restricted to avoid vulnerability to Spectre and Meltdown.

My question is whether adding the https headers via service worker poses a security risk, because the headers are not set at the server level.

At the bottom of this article, it argues that this is not a risk, https://dev.to/stefnotch/enabling-coop-coep-without-touching-the-server-2d3n

But I'd appreciate an explanation to better understand whether the service-worker approach is equivalently secure, or leaves open vulnerabilities.

Thanks!


Solution

  • Adding those headers via a service worker is equivalent from a security perspective, and it will enable equivalent functionality. There are a few things to keep in mind, though:

    self.addEventListener("fetch", (event) => {
      if (!["document", "iframe", "worker"].includes(event.request.destination)) {
        return;
      }
    
      event.respondWith(/* your logic here */);
    });