Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How are non-secure context Clients observable? #791

Closed
ehsan opened this issue Nov 27, 2015 · 5 comments
Closed

How are non-secure context Clients observable? #791

ehsan opened this issue Nov 27, 2015 · 5 comments
Milestone
Version 1

Comments

@ehsan
Copy link

ehsan commented Nov 27, 2015

As far as I can tell from reading the spec, a Client representing a non-secure context cannot be observed. Clients.matchAll() when used with includeUncontrolled: true already excludes non-secure Clients. And Clients.get() also excludes non-secure Clients (and it's impossible to observe such a clientId in the first place since we don't dispatch FetchEvents for such clients anyways).

Does this mean that implementations are free to ignore the places in the spec where we're talking about Client objects being non-secure?
@jungkees
Copy link
Collaborator

As far as I can tell from reading the spec, a Client representing a non-secure context cannot be observed.

Yes, that's the intention. Here's the summary how the APIs deal with the non-secure contexts: #754 (comment).

Does this mean that implementations are free to ignore the places in the spec where we're talking about Client objects being non-secure?

I'm not clear with this. Is there any such place in the spec I'm missing?

@jungkees jungkees added this to the Version 1 milestone Nov 30, 2015
@jdm
Copy link

jdm commented Nov 30, 2015

@jungkees Look for the phrase "not a secure context" in the spec.

@jungkees
Copy link
Collaborator

jungkees commented Dec 1, 2015

clients.get(id), clients.matchAll(), clients.claim() can still deal with the non-secure context clients, e.g., the iframes running on the same origin with the service worker but embedded in an http top frame. Those clients should be filtered out, and the above APIs are exactly where that happens.

Re client's id, fetch events for a non-secure client is also filtered out in Handle Fetch, but a non-secure client's id can still be exposed if we don't filter it out in matchAll(), etc.

@jungkees
Copy link
Collaborator

jungkees commented Dec 3, 2015

Closing. Please let me know if more discussion is needed.

@jungkees jungkees closed this as completed Dec 3, 2015
@ehsan
Copy link
Author

ehsan commented Dec 4, 2015

My point was mostly about Clients.get(). Per spec, there is no way to obtain a clientId belonging to a non-secure context. Clients.matchAll() and Clients.claim() don't work for non-secure clients, and we will never dispatch a FetchEvent for a non-secure non-subresource load, so the behavior of Clinets.get() would be the same whether or not the check for the secure context exists in the spec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Version 1
Development

No branches or pull requests
3 participants
@jdm @ehsan @jungkees