[ServiceWorker] Make secure context requirements more explicit (#754)

It is not clear to me what the current spec actually requires when it comes to secure contexts. Other than for the cache API, the only mention on restrictions wrt secure contexts seems to be this paragraph:

> Service workers should execute in secure contexts, and the controlled service worker clients should also be secure contexts. This effectively means that service workers and their service worker clients should be hosted over HTTPS. The user agents may allow localhost, 127.0.0.0/8, and ::1/128 for development purpose. (Note that they are still secure contexts.) The primary reason for this restriction is to protect users from the risks associated with insecure contexts.

The first thing I'm confused about is why this is only a "should", while secure context checks for the cache API are phrased as a "must"?

But more importantly, I'm not sure what requirements this is actually trying to impose on which parts of the API. For one this paragraph doesn't seem to say anything at all about "uncontrolled service worker clients" (not sure if there is such a thing), or more in general which parts of the API should be available to contexts that run in the same origin as a service worker, but that are not secure contexts. From just reading that paragraph I'm led to believe that insecure contexts should be able to call pretty much every method, get access to existing SW registrations, postMessage to them, etc.

But I've been told (in slightlyoff/BackgroundSync#90) that the intention of the paragraph is to completely disallow access to any API surface from insecure contexts. If that is indeed the intended behavior, could that maybe be specified somehow?

---
Reply to this email directly or view it on GitHub:
https://github.com/slightlyoff/ServiceWorker/issues/754