-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Service worker doesn't work, what's next? #130
Comments
I don't currently have a strong opinion on this, but would like to share some general thoughts / questions that might need consideration.
I think one way to resolve many (but not all) issues would be to provide an API to "unlock" an origin for PNA requests without having to actually send a request. Bonus points if that API can be used from static HTML. I think an earlier proposed CSP would have done exactly that. Was that idea discarded? If so, why? Edit: The title of the post seems to imply that this proposed change is related to the current ServiceWorker limitations. It's unclear to me how those two things are related. Some elaboration would be greatly appreciated :) |
Wouldn't that bypass one of the CORS design aspects of only guaranteeing things for a given URL, not for a set of paths? I'm also somewhat surprised that we now have |
Yes, that was my understanding crafting the response. "Unlock" was probably a poorly chosen word. I do think that all concerns / thoughts raised in my response are valid and applicable to this scenario though.
Could you elaborate a little more on this aspect? It doesn't appear obvious to me why that would be the case. I would still like to understand how this proposal differs from the CSP proposal and why you believe this would be the better approach.
Thank you for clarifying. This was my understanding.
I think I now understand: What you are saying is that it's not possible to use service worker as a solution to the problem of how to add It seems like the most comprehensive approach would be to move the mixed content check to "before the request goes onto the wire", i.e. to the time of egress from the service worker. I'm not going to pretend I understand all of the implications (e.g risks and effort) of such a change, but it appears that the mixed content policy is intended to prevent insecure requests from unknowingly to the user traversing networks where they could be intercepted, observed, manipulated, etc. As long as a request doesn't traverse a network, it is not subject to those threats. A request to At a time before service workers it may have made sense to do the mixed content check at the time of request creation, but today it is not a given that a request will actually end up on a wire just because it was instantiated. Moving the mixed content check to the time of or just before egress seems to be the "correct" solution here. This would also enable service workers to provide responses to insecure requests for which they may have obtained a response previously or via a way different than E.g. in a world with egress-timed mixed content checks, the following would be possible:
|
Ok, here's another thought: If we assumed the mixed-content policy wasn't a problem, would service worker then be considered a reasonable solution to the problem? Because if so I don't think it is even necessary to come up with a solution as part of the specification. Once PNA/PermissionDialog is implemented in service workers, the following might be a reasonable application based solution:
I recognize that this puts the onus of being able to identify and manage URIs that should be redirected to insecure endpoints onto the application developer, but that doesn't seem too crazy. A simple scheme could be put in place by the application developer to encode that information in the URI itself (e.g. 'https://192.168.0.1?makeInsecure=1') and transform the URI accordingly in the service worker. I still think egress-timing the mixed content check is probably the more comprehensive solution, but from skimming through the fetch, Service Worker and Mixed Content specs for a bit I also recognize that that might not be an exactly trivial undertaking. In fact this is what I naturally attempted on doing to get PNA/PermissionDialog to work with EventSource in my project, but had to instead go with a |
Content Security Policy option got some opposition internally because on one hand, we have put too many random stuff into CSP and it is probably not good to do it more, and on the other hand, |
We would like to propose that websites needs
fetch()
to unlock mixed content fetches in local/private address space.Once
fetch()
is sent withtargetAddressSpace
for a certain domain. It will cached for the current document context and it will be used to enable preflights to the same domain in other contexts, e.g.<iframe>
or<img>
.The text was updated successfully, but these errors were encountered: