The challenge has ended. Please do not send any new submissions.

Subresource Integrity in Service Workers

Howdy Stranger,



You have come to the right place, if you like web security challenges with a twist.



This one is all about Service Workers. The Service Worker for this page is very strict and does not like unknown subresources.



In fact, it tries to enforce Subresource Integrity.



The goal is to bypass the ServiceWorker and load a script that is under your control. An alert(1) is enough to convince me.





The Rules

Use Firefox 52 or Chrome 56. Find the XSS, send me your name . Make this website load a script from a domain under your control The shortest example wins Send your submission as a URL that I can open it in those browsers. That makes testing easier. Update from 2017-03-14 (20:00 UTC): Sorry I had to take the site down. It will stay online now. Sorry for any inconvenience this may have caused.

Submissions

Please send your submission as a full URL to frederik@braun.im. Submissions will be judged about daily.

Inspired by Anne's suggestion to implement Subresource Integrity in Javascript.