-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make secure context requirements more explicit #754
Comments
This should be clarified first. When writing the secure context section, I think I didn't take into account the case where the client having a potentially trustworthy origin is embedded in an insecure context. I think the minimum requirement is "A SW should be executed in its registering client's origin which is potentially secure." Is there any reason that such clients embedded in insecure context should not access the SW? |
I had discussed this with @slightlyoff when I wrote the text. I forgot the reason we got to that exactly. Will find out and clarify it. /cc @slightlyoff |
I think it depends on this discussion: #754 (comment). If it turns out the minimum requirement there is enough, additional guards in the method for secure context would not be required. Otherwise, I can add them where they make sense.
A service worker client as a spec concept is just an environment settings object. An uncontrolled client is a client within the same origin but currently uncontrolled as like it's out-of-scope. One such client can be gotten by e.g.: I agree this text ("the controlled service worker clients should also be secure contexts") should be clarified too. Thanks for having pointed them out. |
I'd like to understand what @mikewest thinks. The plain reading of the Secure Contexts doc is that an |
I guess this means embedded social media frames (for like, follow, etc buttons) couldn't use service workers if they are embedded in an html document. Right? I guess this seems ok to me and its probably something foreign-fetch could solve in the future. |
From https://code.google.com/p/chromium/issues/detail?id=489670
Related bug #700 - this feels like a dupe? |
Well the reason this was raised is because it's unclear in the specification. So in that sense it's not a duplicate. |
Yes, this was raised because 1) the current spec doesn't specify what should and shouldn't be available to a potential client in an insecure context (I agree that probably nothing should be available there, to be least surprising, and avoid the trivial postMessage wrapper), and 2) the current spec doesn't specify what should happen if an insecure context tries to access any of the API. I assume for 2) that controller always returns undefined, ready returns a promise that always rejects, and all the methods also return promises that always reject? Although for ready the spec says that it will never reject, so maybe in this case it should also just return a promise that never resolves nor rejects? |
So, it was answered by #754 (comment) and the Secure Context spec has this: https://w3c.github.io/webappsec-secure-contexts/#examples-service-workers. I wonder if we want to use "should" for register and messaging? Or should we use "must" for all?
For calling APIs in insecure contexts, locking the following APIs seems enough?
|
Must for all. |
I don't understand what |
What's the rationale for should? |
Applied the requirements as discussed so far: 002eba5. (Discussed further with @slightlyoff and decided to use "must" for all):
|
Blink: tracked in https://crbug.com/542499. |
I came up with a question while implementing this change: |
Null or undefined does not matter much in that sense, since either way it's discoverable that a property is defined. |
Will discuss hiding the properties entirely or not-hiding in the web app sec meeting. |
Is it intended that .register() now allows file:// URLs? It simply says:
But the Is origin potentially trustworthy algorithm now allows file schemes:
Note, Cache API still does explicitly requires http or https URLs for all Requests. So its not really feasible to load a site from file:// and have the service worker function correctly. |
F2F: update spec. Property won't exist in non-secure contexts. Make sure SW doesn't work for Remaining question: Should |
@jakearchibald I think it's fine for it to exist and throw, if a user agent considers |
Closed by 5264a72
|
It is not clear to me what the current spec actually requires when it comes to secure contexts. Other than for the cache API, the only mention on restrictions wrt secure contexts seems to be this paragraph:
The first thing I'm confused about is why this is only a "should", while secure context checks for the cache API are phrased as a "must"?
But more importantly, I'm not sure what requirements this is actually trying to impose on which parts of the API. For one this paragraph doesn't seem to say anything at all about "uncontrolled service worker clients" (not sure if there is such a thing), or more in general which parts of the API should be available to contexts that run in the same origin as a service worker, but that are not secure contexts. From just reading that paragraph I'm led to believe that insecure contexts should be able to call pretty much every method, get access to existing SW registrations, postMessage to them, etc.
But I've been told (in WICG/background-sync#90) that the intention of the paragraph is to completely disallow access to any API surface from insecure contexts. If that is indeed the intended behavior, could that maybe be specified somehow?
The text was updated successfully, but these errors were encountered: