Override the "mode" of Service Worker requests #5875
Conversation
|
I think this is w3c/ServiceWorker#1518 and should probably be addressed in the service workers specification itself as it's a key security feature. |
|
@annevk A few details make me think this is only observable through the Sec-Fetch-Mode header:
Does that seem right to you? Does it influence your thoughts on the change's significance or its optimal location? |
|
It seems like we should set the mode in the service worker spec in the same place we set redirect to "error". |
|
Thanks, @wanderview. I'm still interested in learning how to make decisions like this, but I'm happy to submit a pull request to Service Workers in the mean time. |
|
Actually, service workers lean on web worker loading, so is this already done here? https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-script In step 1. |
|
That only applies to "classic worker scripts." Module scripts' mode defaults to " But that confusion is understandable and further reason to prefer addressing the mode in HTML--setting the mode to "same-origin" isn't always necessary in Service Workers' "perform the fetch" algorithm. |
|
Ah. I guess I don't have a strong opinion. No browser has implemented module service workers yet so I would not be surprised if there are other bugs in that part of the spec. |
|
I guess I'll defer to @domenic. |
|
This is a tough one. On the one hand, this HTML patch fits in pretty nicely; HTML is clearly trying to treat workers specially when loading module scripts, and omitting service workers looks like a bug. On the other hand, service workers are pretty special, and already own a lot of their own fetching; it's not clear how much business HTML has setting up fetches for them at all. However, first I have a question: w3c/ServiceWorker#1534 seems to override the mode of all module script fetches in the graph, whereas this PR only overrides the top-level one. I think likely the latter is correct? I.e. you shouldn't be prevented from doing |
|
@domenic I think you're right: it seems likely that I overlooked how the "perform the fetch" steps are applied. That may be an area for improvement, so I've filed a separate issue to confirm my interpretation and suggest a change. |
Tests for this behavior have already been merged to WPT.
Firefox 82 and Chromium 86 both implement this behavior.
Instead of addressing this in HTML, we could modify the "perform the fetch" algorithm in Service Workers. Since this step in HTML has such a similar purpose, I'm assuming it's preferable to extend it instead.
...but considering the alternatives makes me wonder if this is already done in some step I've overlooked.
/cc @mkruisselbrink
💥 Error: Wattsi server error 💥
PR Preview failed to build. (Last tried on Jan 15, 2021, 8:00 AM UTC).
More
PR Preview relies on a number of web services to run. There seems to be an issue with the following one:
🚨 Wattsi Server - Wattsi Server is the web service used to build the WHATWG HTML spec.
🔗 Related URL
If you don't have enough information above to solve the error by yourself (or to understand to which web service the error is related to, if any), please file an issue.