- From: Ben Kelly <notifications@github.com>
- Date: Thu, 19 Apr 2018 06:19:41 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 19 April 2018 13:20:05 UTC
So I was about to write a comment saying that the "initial fetch" does not have the client associated with it so it can't perform CSP checking. I see now, though, we propagate the client for `register()` and `update()` calls. For self-update there is no client, however. That's a bit surprising to me for a couple reasons: First, consider two pages from the same origin. Page A has no CSP. Page B has CSP which would block a service worker script load. Page A registers a service worker. Page B is loaded and becomes controlled. Page B tries to call `update()`, but it fails because its CSP blocks it. If Page A calls `update()` then it succeeds. Also, it seems like using the caller's client for these cases could put the service worker script loading in the outer document's fetch group. Should we a `register()` call that has started, but not fetched yet, to complete if the calling window is closed? I think it should probably complete. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/755#issuecomment-382731887
Received on Thursday, 19 April 2018 13:20:05 UTC