[ServiceWorker] register() should not allow file://, wss://, etc (#780) from Ben Kelly on 2015-11-10 (public-webapps-github@w3.org from November 2015)

From: Ben Kelly <notifications@github.com>
Date: Tue, 10 Nov 2015 05:54:06 -0800
To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Message-ID: <slightlyoff/ServiceWorker/issues/780@github.com>

Is it intended that .register() now allows file:// (and wss://, etc) URLs? It simply says:

> * If the result of running Is origin potentially trustworthy with the origin of scriptURL as the argument is Not Trusted, then:
>   * Return a promise rejected with a "SecurityError" exception.

But the Is origin potentially trustworthy algorithm now allows file schemes:

> If origin's scheme component is file, return "Potentially Trustworthy".

Note, Cache API still does explicitly requires http or https URLs for all Requests. So its not really feasible to load a site from file:// and have the service worker function correctly.

I spoke with @jakearchibald on IRC and he agreed we should block file://.  I think to be safest we should explicitly check for https:// or http:// after the security check.


---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/780

Received on Tuesday, 10 November 2015 13:54:41 UTC