Re: [ServiceWorker] Make secure context requirements more explicit (#754)

So, it was answered by https://github.com/slightlyoff/ServiceWorker/issues/754#issuecomment-145571063 and the Secure Context spec has this: https://w3c.github.io/webappsec-secure-contexts/#examples-service-workers.

I wonder if we want to use "should" for register and messaging? Or should we use "must" for all?
- Service workers **must** execute in secure contexts.
- Register: the registering client **should** be a secure context.
- Control: the service worker clients **must** be secure contexts.
- Messaging: the service worker clients **should** be secure contexts.

For calling APIs in insecure contexts, locking the following APIs seems enough?

```
// Disallow the access to registrations and service workers
ServiceWorkerContainer.controller // throw a SecurityError exception
 - @mkruisselbrink suggested it returns undefined. Not sure which way is better.
ServiceWorkerContainer.ready // reject with SecurityError exception 
 - @mkruisselbrink concerned about ready never rejecting but I think it's okay here.
ServiceWorkerContainer.register() // reject with SecurityError exception
ServiceWorkerContainer.getRegistration() // reject with SecurityError exception
ServiceWorkerContainer.getRegistrations() // reject with SecurityError exception

// Disallow posting a message to a client in insecure context
Client.postMessage() // throw a SecurityError exception if the target client is not a secure context

// Disallow the access to cache objects (which the spec already does).
CacheStorage.match() // reject with SecurityError exception
CacheStorage.has() // reject with SecurityError exception
CacheStorage.open() // reject with SecurityError exception
CacheStorage.delete() // reject with SecurityError exception
CacheStorage.keys() // reject with SecurityError exception
```

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/754#issuecomment-145770857