Recently I was asked a question by a user about the potential risks involved in using service workers. The point the user made was that Service worker sits in the browser, just like a “virus” ( yes that’s the term he used ) tracking everything and has the potential to leak data and share it with third party unwanted sites.
Now, this is a very serious question which actually hits on the credibility of whether service workers should be used at all on any site.
The service worker sits at a place where it has the control over every hit that leaves the browser to the server, so it has access to all the data which is being sent to a server, which includes passwords and other confidential information.
Let’s try to understand how these concerns are misplaced.
A Service worker is as credible as the Site itself
When you open a site, you install a service worker which starts recording information in your browser. This information is coming from the site and is specific to the site itself.
It can not impact other sites you open on internet, neither can it access information stored by other websites. Unlike a computer virus which can read , write and modify files on your computer this is really not possible for service worker to do.
The objective of the service worker is improve the site’s performance. However, in case of a hacked site the service worker can import a script from an unwanted source and hacker can show malicious information and steal information when use the website, this would happen in case of all hacked sites irrespective of a service worker.
Limited access to a single site
A service worker is only limited to a site. The service worker javascript file is stored in user’s computer but it only receives data from 1 particular site. It runs for one site and has access to resources of one site. It can only affect data coming from and out of one particular site, it can not read data from other sites.
For service worker push notifications which are shown even when you are not using the site, the site needs explicit permission from the user browsing the site.
Access to browser storage only.
Service workers can only access to browser storage. They can not go beyond a browser to affect other parts of your computer. Most modern browsers have browser storage is specific for a website.
Conclusion
Since, service workers has been in place since 2015 when everyone started using Push notifications, there is no doubt many sites use it and users might be unaware that they are already using it from a long time.
If you just open : chrome://serviceworker-internals/ in your chrome browser, you can see all the service worker registrations, you’ll be amazed at how many service workers are running in your browser already.