Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Registering service workers for unique origins? #1437

Open
mjbvz opened this issue Jun 19, 2019 · 4 comments

Comments

Projects
None yet
3 participants
@mjbvz
Copy link

commented Jun 19, 2019

Problem

I am looking for a way to register a service worker runs for a unique origin. The lifetime of the service worker would be tied to the lifetime of the page with that unique origin.

Details

I develop VS Code's webview API, which lets VS Code extensions render arbitrary html inside of the VS Code editor. I am currently trying to set up a sandboxed environment for webviews using iframes + service workers. Here's the basic structure:

<!-- Serve up from a unique origin so that the iframe cannot effect our main page -->
<iframe src="https://cdn.contoso.com" sandbox="allow-same-origin">
  <html>
     <body>

     <!--
        This is a static html page served up from cdn.contoso.com. It is where
        we have VS Code's scripts for managing webview content. 
     
        This is also where we register a service worker for cdn.contoso.com. We use 
        the service worker to implement a virtual `/vscode-resource/` endpoint
        that the untrusted html provided by extension can use to load resources
        from the user's workspace (we delegate the loading back to the main page,
        which lets us allow or deny this the request)
     -->
    <iframe width="100%" height="100%" sandbox="allow-same-origin">
        <!-- Actual html content coming from an extension -->

        <img src="/vscode-resource/Users/matt/workspace/cat.git"> // This goes through the service worker
     </iframe>
    </body>
  </html>
</webview>

The main issue with this approach is that all the webview content ends up being served from the same cdn.contoso.com origin, which means that webviews can end up effecting each other indirectly. I've tried various incantations of allow-same-origin and srcdoc and data uris, but have not been able to find a means to serve the iframe in a unique origin so that we can still register a service worker for it.

A secondary issue is that we need to stand up cdn.contoso.com to serve up the outer iframe content in the first place. This adds extra setup and maintenance cost for people hosting VS Code.

Here's the actual code that implements all this today:

Proposals

I believe that allowing service workers to be registered in sandboxed iframe that does not set allow-same-origin would solve the main issue for us. Since the origin of the page in that case is unique, my expectation is that the service worker's lifetime would be tied to that of the document itself. Once the document is unloaded, the browser could delete the service worker and clean up any related resources.

Another approach would be an API for registering a one-time service worker that runs on a unique origin. The page would then be able to use the unique origin to serve up content. The lifetime of the worker would be the same as the page itself (similar to URL.createObjectURL).

For example, this could look something like:

const worker = await navigator.createServiceWorkerEndpoint('source of my virtual server worker');

const iframe = document.createElement('iframe');
iframe.src = worker.url; // This will result in a `fetch` against our worker for `/` at our unique origin
document.body.appendChild(iframe);

The url would be a guaranteed unique origin, perhaps by using a unique identifier: sw-endpoint://00071f0e-fd75-4525-acde-cacb6fc7a1cd. The url would be usable on the page that created the worker as well as on any pages it embeds.

The registered service worker itself would behave just like a normal service worker. However its lifetime would be linked to the page that created it. This would also simplify the creation of a virtual server for us (because we do not use many parts of service workers, such as them being shared across multiple pages).

Possibly Related issues

@wanderview

This comment has been minimized.

Copy link
Member

commented Jun 19, 2019

This is an interesting use case. I think our original reason for blocking service workers on opaque origins is because at the time we didn't see how it could provide offline or another reasonable use case.

@asutherland

This comment has been minimized.

Copy link

commented Jun 20, 2019

URL.createObjectURL I think is generally considered a regrettable decision we wouldn't want to imitate. As designed it encourages leaking resources, and as browsers need to implement it (at least Firefox), it's actually even more horrible under the hood.

Being able to register a single ServiceWorker on a special scope that's explicitly for opaque origins for this exact scenario might work, though. Like: navigator.serviceWorker.register("/script.js", { scope: navigator.serviceWorker.opaqueOrigins }) where the sentinel scope requires that it would have been legal to specify a scope of "/".

@mjbvz

This comment has been minimized.

Copy link
Author

commented Jul 10, 2019

That makes sense. I mainly brought up the createServiceWorkerEndpoint idea because it also would let us use a service worker to control the loading an iframe src (we can't use srcdoc directly because that causes the iframe to inherit the parent page's content security policy)

What are the next steps in continuing this discussion? I don't think our use case is specific to our implementation of webviews for VS Code

@mjbvz

This comment has been minimized.

Copy link
Author

commented Jul 12, 2019

To try to workaround this limitation, I've setup a domain that serves the same content on every subdomain you access (this way, the served up pages have a unique origin). These subdomains are only used once by a client and a service worker is registered for them.

However I do not know if this will cause perf issue for browsers in practice. What will happen as the number of service workers builds up as we keep accessing new subdomains? I've asked about this on StackOverflow. I think I may be able to call unregister on the service worker inside window.onwillunload but am not sure, and I don't know if this is even something to worry about

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.