The challenge has ended. Please do not send any new submissions.

---> Spoilers & Solutions here

Subresource Integrity in Service Workers

Howdy Stranger,

You have come to the right place, if you like web security challenges with a twist.

This one is all about Service Workers. The Service Worker for this page is very strict and does not like unknown subresources.

In fact, it tries to enforce Subresource Integrity.

The goal is to bypass the ServiceWorker and load a script that is under your control. An alert(1) is enough to convince me.

The Rules

  1. Use Firefox 52 or Chrome 56.
  2. Find the XSS, send me your name .
  3. Make this website load a script from a domain under your control
  4. The shortest example wins
  5. Send your submission as a URL that I can open it in those browsers. That makes testing easier.
  6. Update from 2017-03-14 (20:00 UTC): Sorry I had to take the site down. It will stay online now. Sorry for any inconvenience this may have caused.


  1. Mario Heiderich with 81 characters (Firefox only).
  2. Eduardo Vela with 93 characters (Chrome only).
  3. Artur Janc with 97 characters.
  4. Masato Kinugawa with 98 characters.
  5. Alex "insertScript" Inf├╝hr with 118 characters.
  6. Manuel Caballero with 140 characters.
  7. Stefano Vettorazzi with 144 characters.
  8. You?

Please send your submission as a full URL to Submissions will be judged about daily.