firefox -- Same-origin-policy violation using Service Workers with plugins
The Mozilla Foundation reports:
MFSA 2016-13 Jason Pang of OneSignal reported that service workers intercept
responses to plugin network requests made through the browser. Plugins which
make security decisions based on the content of network requests can have these
decisions subverted if a service worker forges responses to those requests. For
example, a forged crossdomain.xml could allow a malicious site to violate the
same-origin policy using the Flash plugin.
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright