-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Interaction with ServiceWorker #54
Comments
My first thought is that NEL reports should be transparent to ServiceWorker. The scenarios are:
Thoughts? /cc @annevk |
We should make this consistent with whatever CSP does. And other specifications that might do reporting? |
AFAIK, CSP doesn't define anything in this regard: https://w3c.github.io/webappsec/specs/CSP2/#violation-reports I'd propose that we treat these reporting requests as 'client requests'. |
Some new type might be better, "report requests" or some such. Note that you can set the "skip service worker flag" yourself, but it might be better to create a logical grouping for this so new report features follow the established pattern. |
According to @ehsan Gecko will run CSP reports through the service worker. |
Hmm, interesting. I guess for CSP this makes sense since the policy applies to the page you control via SW. As such, you can queue up and dispatch CSP reports once back online, or some such.. For NEL, I think we have different (iframe-like) semantics. For example, consider the following use case: With that in mind, sounds like "skip service worker flag" should do the trick here? |
Well, perhaps if widget.com has a SW, that SW should be notified about the NEL policy. That's what an |
Kind of makes sense too. That way widget.com can just collect all kinds of data locally and at some point synchronize with the server. |
+1 to @annevk's point; I'd like to see these reports run through the service worker so that logging can happen offline and be resync'd later. |
@annevk @slightlyoff my understanding is that if (SW-controlled) example.com embeds widget.com (also SW-controlled) via an iframe, the iframe request will have the skip-sw flag set and it won't automatically spin up the SW for widget.com. Is that not the case? Further, if widget.com load fails, the report is supposed to be delivered to the report-uri registered by widget.com. Re, happen offline and resync'd later: that's implicit in this case, the UA will take that on already. If you're offline we'll have to persist the report and beacon it later once we can reach the report URI. |
The request for the |
Ah, interesting, I misunderstood the SW+iframe interaction then. With that in mind, sgtm. Next question: what's to be done in NEL to account for this? As far as I can tell we don't need to add any additional flags or behaviors in NEL (same story as CSP). |
Yeah, as long as you set all the Fetch parameters correctly everything should be alright. |
Current logic in processing section:
Anything missing or that needs to be clarified? |
I think you should define it in terms of https://fetch.spec.whatwg.org/#concept-fetch. E.g. defining the actual request you pass to fetch. Defining it in terms of HTML's fetch is not great for those implementing. |
@annevk any pointers for a good spec example doing that? |
XMLHttpRequest and fetch() do it. You basically do something like
And cross-reference the terms with Fetch. |
@slightlyoff @annevk independent of the Fetch definition... Thinking out loud:
Q: This NEL report is seen by the mysite.com's SW? It's not clear to me what mysite.com would do with it? It's not its responsibility to deliver that report; share.com was the one that requested the report and its on the UA to deliver it. Shouldn't this report be routed to share.com's SW if one is present, and otherwise not seen by mysite.com? |
Agree that this should be a client request, given the request can be sent when there's no client open for the origin. For subresources with redirect-mode "follow" (eg an In the same case, what if The big question I have is what happens with requests that skip serviceworker. If the report goes to the serviceworker, are we leaking data? It might not be a problem if report always goes to the current request url. |
I'm trying to get my head around the very purpose of the feature. If it's fine/valuable to expose the reports to script surface, developers can capture the NEL If this is not desirable, we'd have to either add a simpler API (which seems to be not desirable though I haven't gotten through the relevant issues yet) or should not expose this by doing everything within the platform. (We might still be able to define relevant algorithms and the hooks between NEL/Fetch/SW.) |
@jakearchibald
I'm not sure I follow your line of thought here... My understanding is that if we declare NEL reports to be client requests then they bypass all SW logic -- is that not so? |
I think this issue is now moot:
I'm going to close this issue; please feel free to re-open if I've misunderstood anything, or if there are other questions. |
The text was updated successfully, but these errors were encountered: