From ad3bee5f2e6a941a135308b28ce2b30f5d6efac6 Mon Sep 17 00:00:00 2001
From: lockbitchat <lockbitchat@tutanota.com>
Date: Sun, 17 May 2026 23:22:46 -0400
Subject: [PATCH] fix: enforce service worker cache allowlist

---
 sw.js | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/sw.js b/sw.js
index 0b4cb6c..2f8d34f 100644
--- a/sw.js
+++ b/sw.js
@@ -286,7 +286,12 @@ async function handleRequest(request) {
     
     try {
         // Strategy 1: Cache First (only for essential PWA assets)
-        if (CACHE_FIRST_PATTERNS.some(pattern => pattern.test(url.pathname))) {
+        if (
+            url.origin === self.location.origin &&
+            isCacheableStaticPath(url.pathname) &&
+            !isSensitivePath(url.pathname) &&
+            CACHE_FIRST_PATTERNS.some(pattern => pattern.test(url.pathname))
+        ) {
             return await cacheFirst(request);
         }
         
@@ -306,6 +311,7 @@ async function handleRequest(request) {
 
 // Cache First strategy with Response cloning fix
 async function cacheFirst(request) {
+    const url = new URL(request.url);
     const cachedResponse = await caches.match(request);
     if (cachedResponse) {
         return cachedResponse;
@@ -313,7 +319,13 @@ async function cacheFirst(request) {
     
     try {
         const networkResponse = await fetch(request);
-        if (networkResponse && networkResponse.ok) {
+        if (
+            networkResponse &&
+            networkResponse.ok &&
+            url.origin === self.location.origin &&
+            isCacheableStaticPath(url.pathname) &&
+            !isSensitivePath(url.pathname)
+        ) {
             // Clone the response before using it
             const responseToCache = networkResponse.clone();
             const cache = await caches.open(STATIC_CACHE);