Browser SecurityRules
no-dynamic-service-worker-url
Prevent dynamic URLs in service worker registration.
Prevent dynamic URLs in service worker registration.
⚠️ Security Issue
| Property | Value |
|---|---|
| CWE | CWE-829: Inclusion of Functionality from Untrusted Control Sphere |
| OWASP | A08:2021 - Software and Data Integrity Failures |
| CVSS | 8.1 (High) |
| Severity | HIGH |
📋 Description
Dynamically constructing service worker URLs can lead to loading malicious scripts that have full control over network requests for your site.
❌ Incorrect
// Dynamic URL construction
navigator.serviceWorker.register(userInput);
// Template literal with expression
navigator.serviceWorker.register(`${basePath}/sw.js`);
// Concatenation
navigator.serviceWorker.register(path + '/worker.js');✅ Correct
// Static string URL
navigator.serviceWorker.register('/sw.js');
// Constant URL
navigator.serviceWorker.register('/service-worker.js', { scope: '/' });🛠️ Options
{
"rules": {
"@interlace/browser-security/no-dynamic-service-worker-url": [
"error",
{
"allowInTests": true
}
]
}
}Known False Negatives
The following patterns are not detected due to static analysis limitations:
URL from Configuration
Why: Config values not analyzed.
// ❌ NOT DETECTED - From config
navigator.serviceWorker.register(config.serviceWorkerUrl);Mitigation: Hardcode service worker URLs.
Aliased Register Function
Why: Aliased functions not traced.
// ❌ NOT DETECTED - Aliased
const registerSW = navigator.serviceWorker.register.bind(
navigator.serviceWorker,
);
registerSW(dynamicUrl);Mitigation: Avoid aliasing register function.
📚 Related Resources
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-829 OWASP:A03 CVSS:7.5 | Untrusted Control Sphere Inclusion detected | HIGH
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A03_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-829 OWASP:A03 CVSS:7.5 |
| Issue Description | Specific vulnerability | Untrusted Control Sphere Inclusion detected |
| Severity & Compliance | Impact assessment | HIGH |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |