New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update algorithm and redirects #618
Comments
This issue is blocking Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1131271 |
I'm also looking up the history. If a redirection should be considered as a security error, it should not be able to be succeeded at all, either. |
Yeah, but if you want to block redirects you should not be checking "redirect count". Instead you should set the manual redirect flag and check the status code of the response (likely require it to be in range 200 to 299). |
Alright. Depending on the decision, I'll update it as commented. A question is, shouldn't the response code be one of 301/302/303/307/308 when the manual redirect flag is set? |
I don't understand the question. |
I mean, "Shouldn't the response code be one of 301/302/303/307/308 in order to consider it a security (redirection) error"? With "likely require it to be in range 200 to 299" in your comment above, did you mean responses with those status code are NOT security error? |
I mean we should only respect those response code if we are not going to handle redirects. |
Discussed with @slightlyoff and concluded preventing redirection is the safe thing to do here. Updated the text as such: 4f3a555. @annevk please review. |
Could you please share the rationale? Why do you reject with a |
I thought it was a right DOMException as fetch pertains to network operation. Happy to align it to fetch. Is there any general guideline when to use simple exception (TypeError) and when to use DOMException? |
If you asked about the rationale why we'd want to prevent redirection, we thought it'd be part of not allowing x-origin SWs. |
You can prevent that by setting the fetch mode to same-origin, no? |
(I don't think we have guidelines on exceptions.) |
If we want to allow redirects for the SW script, there's a few questions we need to answer:
I think 'no' for all three. |
I would expect yes for 1 and the others explain why introducing scopes just for service workers is a hack. :-( |
The reason I say no for 1 is because you're otherwise likely to introduce thrashing.
2 & 3 aren't solved by dropping scopes, the problem is caused by catering to sites that thinking giving someone webspace in a directory sandboxes them to that director. |
If |
As the script URL passed to
|
So this is all done now, correct? That is, we gave up on redirects due to the design of the |
Where is the issue about setting request's client to null? |
Yes.
This is the one: #615. |
So let me close this issue. The issue about setting request's client to null is tracked in #615, and pointed by from Soft Update algorithm in the spec: https://slightlyoff.github.io/ServiceWorker/spec/service_worker/#soft-update-algorithm. |
I don't understand why this section checks "redirect count". That is a bookkeeping detail of the Fetch specification and is not for other specifications.
If somebody could explain the intent I can maybe say what we should do instead.
The text was updated successfully, but these errors were encountered: