Yes, but not directly via a service worker (aren't they blocked from network access in general?) - you'd have to trigger the main thread to sync with the service worker, then perform the exfiltration for you.

The original way to do this via a synchronous XHR request in visibilitychange/beforeunload/unload handlers gave you a 1-2s window to exfiltrate the data. That's been deprecated in exchange for a more insidious "invisible background connection to the server maintained after closing the tab or navigating away" that doesn't involve any UI delays. (For "a better experience" of course, not for stealth! Never!)

It's called the beacon API [0] and it's supported by basically all browsers [1]. This was introduced because, chiefly among others, Google Analytics was stuck between blocking in head to record the page view or moving to the end of the html document and using documentready but with a fairly high risk of user navigating away before all that had a chance to trigger at all or after it triggered but before it could exfiltrate the data.

[0]: https://developer.mozilla.org/en-US/docs/Web/API/Beacon_API

[1]: https://caniuse.com/?search=beacon%20api

Wow - that is just sad to see from Mozilla (sighs, where did all the good guys go?)

Excerpt from their KB

Navigator.sendBeacon() .... It’s intended to be used for sending analytics data to a web server, and avoids some of the problems with legacy techniques for sending analytics, such as the use of XMLHttpRequest.

https://developer.mozilla.org/en-US/docs/Web/API/Navigator/s...

A cursory web search didn't provide information about restrictions that would apply.

I remember seeing service workers in browser devtools or task manager without having given explicit permission.