Re: [ServiceWorker] https should not be mandatory (#658)

Regarding our [twitter exchange](https://twitter.com/slsoftworks/status/581863309797924864) - as it turns out Firefox has its own method for easing debugging/development on non-trivial setups - those that require more than a static storage (ie. gh-pages).

Firefox uses the `dom.serviceWorkers.testing.enabled` setting - which, when set to true it disables the HTTPS-restriction on service workers completely (IIUC). One might argue that is too much of a vulnerability *(as leaving that setting open would make it so the browser is completely unprotected on all sites - practically removing all security provided by the feature in the first place)*.

One could also argue, that I should be filing this at Chromium dev (and that might be also true) however widespreed acceptance among big-league players could very much depend on solving the issue of integrating Service Worker development into current developer practices, so I think it might be useful to have at least guidelines in the spec for UA-s to ease development.

I would suggest, that a configuration setting (that would ship stable & developer versions alike) as the one above used in Firefox would solve the stated use cases (deliberately enabling testing on developer-owned devices), while requiring the **configuration value to be set to a domain name** (*only service workers located on said domain would be able to bypass HTTPS check*) would fix the problem of leaving one's device completely open for attacks on other sites.

This would effectively be an expansion on how browsers currently handle `localhost` as a special case — comments on this would be much welcome.

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/658#issuecomment-87283965