Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
https should not be mandatory #658
Why is HTTPS madatory in Service Worker since Man in the Middle attacks can also be prevented by using WSS (WebSocket SSL) connection?
IMHO, HTTPS is never gonna be the future. Service Worker should provide an option for HTTP + WSS approaches instead of forcing developers to use HTTPS.
Web security isn't just about data the user sends you, it's also about the data you send to your user.
Specifically, in this case, you'll be sending code that ensures the user's data is sent over a secure channel (this could simply be HTTPS, doesn't need to be wss), but you'll be sending that code over an insecure channel. That means a MITM simply needs to remove/rewrite the code that ensures the user's data is sent securely.
Regarding our twitter exchange - as it turns out Firefox has its own method for easing debugging/development on non-trivial setups - those that require more than a static storage (ie. gh-pages).
Firefox uses the
One could also argue, that I should be filing this at Chromium dev (and that might be also true) however widespreed acceptance among big-league players could very much depend on solving the issue of integrating Service Worker development into current developer practices, so I think it might be useful to have at least guidelines in the spec for UA-s to ease development.
I would suggest, that a configuration setting (that would ship stable & developer versions alike) as the one above used in Firefox would solve the stated use cases (deliberately enabling testing on developer-owned devices), while requiring the configuration value to be set to a domain name (only service workers located on said domain would be able to bypass HTTPS check) would fix the problem of leaving one's device completely open for attacks on other sites.
This would effectively be an expansion on how browsers currently handle