- From: Ben Kelly <notifications@github.com>
- Date: Wed, 14 Oct 2015 11:17:36 -0700
- To: slightlyoff/ServiceWorker <ServiceWorker@noreply.github.com>
Received on Wednesday, 14 October 2015 18:18:04 UTC
Actually, there may be a small issue.
Consider two documents:
* example.com/foo.html with no CSP headers
* example.com/bar.html with CSP header child-src: none (or whatever is needed to disallow worker scripts)
Both of these documents execute `navigator.serviceWorker.register('sw.js')`.
If bar.html is loaded first, its register() will fail because of the CSP header when sw.js is fetched.
If foo.html is loaded and then bar.html is loaded in another tab, then the register() in bar.html will succeed. (I think no fetch is initiated here based on Register Algorithm step 4.2.1.2.)
Is this inconsistency desired?
Also, if a document has CSP saying it wants no child scripts, should we ever allow that document to be controlled by a service worker registered by a separate document without CSP?
---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/755#issuecomment-148142978
Received on Wednesday, 14 October 2015 18:18:04 UTC