I wonder what do they do with Service Worker updates that the browser normally does every day or so. Do they somehow block install and activate events? If not then the attacker just needs to update the worker and the history repeats.
There's no way to block activate events, but there's a way to delay them. In the meantime, you can check the new Service Worker file against GitHub, and if it doesn't match, warn the user.
twiss|8 years ago