[w3c/ServiceWorker] Service-Worker-Allowed can be cross-origin to the script URL. (#1307)

I noticed we don't have WPT tests for Service-Worker-Allowed and started upstreaming Chrome's.

While doing that I added test cases for when SWA is an absolute URL, and found that Chrome accepts SWA that is cross-origin to the script URL, since it only looks at the path of the SWA. That seems a bit surprising. For example, this works if run on https://my-origin.com:
```
// Set the scope to an upper path of the script location
// Response included "Service-Worker-Allowed : https://another-origin.com/"
navigator.serviceWorker.register("/js/sw.js", { scope: "/" }).then(() => {
  console.log("Install succeeded as the max allowed scope was overriden to '/'.");
});
```
That seems to agree with the spec which has these steps:

1. Let maxScope be the result of parsing serviceWorkerAllowed with job’s script url.
2. Set maxScopeString to "/" concatenated with the strings in maxScope’s path (including empty strings), separated from each other by "/".

I believe that parsing an absolute URL with a cross-origin base URL ends up ignoring base URL, based on results from `new URL()` (correct me if I'm wrong...).

I think we should error on cross-origin SWA from the script URL though. Firefox seems to be doing this. Here is error output when script URL is same-origin as the scope at resources/empty-worker.js, and SWA was a cross-origin:

Failed to register a ServiceWorker: The path of the provided scope ‘http://127.0.0.1:8001/service-workers/service-worker/resources/this-scope-is-normally-allowed’ is not under the max scope allowed ‘https://www1.web-platform.test:8444/’. Adjust the scope, move the Service Worker script, or use the Service-Worker-Allowed HTTP header to allow the scope.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1307