Re: [ServiceWorker] HTTP authentication and proxy authentication hook (#119) from sleevi on 2015-07-03 (public-webapps-github@w3.org from July 2015)

From: sleevi <notifications@github.com>
Date: Fri, 03 Jul 2015 06:55:22 -0700
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/119/118357590@github.com>

> It makes fetch() less clean inside service workers (do we need it elsewhere?), but so be it.

I think any time where a fetch() API is explicitly being called, we will need some way to discuss the clients.

> Mixed Content: Requests in a service worker can affect the address bar icon. It seems though that mixed content warnings should affect all open windows and if there are no open windows we should treat this as a network error. So this should probably be a separate flag of sorts set by Service Workers that allows Fetch and Mixed Content to deal with this scenario?

That's https://github.com/whatwg/fetch/issues/69 , which I'm about to chime in on, because Chrome networking, security, and SW teams have discussed this extensively w/r/t Chrome's UI

> HTTP auth: If you want this bring your own UI.

I'm sorry, but that fundamentally doesn't work, because it breaks the pass-through SW case where you're talking to a third-party origin.

That is, I can't use
```
onFetch(fetchEvent) {
  fetchEvent.respondWith(fetch(fetchEvent.request))
}
```
if fetchEvent.request may result in auth.

So that's why I think the client issue is more generalized, and explicitly not limited to just client certificates.

> HTTP proxy auth: Network error, including for window? Would be great if we could do that for fetch() I think. Otherwise we should have something similar to client certificates for this.

s/similar/the same/ - I don't think users or implementors benefit from trying to justify the client on a case by case basis, especially so you don't end up with scenarios like:

```
onFetch(fetchEvent) {
  fetchEvent.respondWith(fetch(Request(fetchEvent.request, {
    clientCertificateClient: fetchEvent.client,
    httpAuthClient: fetchEvent.client,
    proxyAuthClient: fetchEvent.client,
    froobleFrazzleClient: fetchEvent.client
  })));
}
```

Instead, if we just do either
```
onFetch(fetchEvent) {
  fetchEvent.respondWith(fetchEvent.client.fetch(fetchEvent.request));
}
```
or
```
onFetch(fetchEvent) {
  fetchEvent.respondWith(fetch(Request(fetchEvent.request, { client: fetchEvent.client; })));
}
```

Then they both seem better. And we can define an implicit client for those implementing the [GlobalFetch](https://fetch.spec.whatwg.org/#globalfetch) interface if the Request.client is undefined, which means that you can still do `fetch(url)` or `fetch(Request(url))` and have it Just Work


---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/119#issuecomment-118357590

Received on Friday, 3 July 2015 13:55:53 UTC