Yes. Two things about service workers: 1. If you can spin up a service worker, the site is already very much in trouble.
2. I have handwavey ideas about ensuring that the FormData object which would be readable via the Request object in the service worker would retain the opaque flag. The spec strawman hints at that, but I haven't done the work to find all the places to monkey-patch. -mike -- Mike West <mk...@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Oct 15, 2014 at 4:25 PM, Boris Zbarsky <bzbar...@mit.edu> wrote: > On 10/15/14, 10:15 AM, Mike West wrote: > >> `FormData` objects created from forms including these writeonly elements >> would be "opaque". You could use them to submit an XHR request, but you >> couldn't read the values directly from script. >> > > If you're at the point where you can run script on the page, can't you > spin up a service worker that would capture the data in that XHR? > > -Boris >
