- From: GALISSON Victor <notifications@github.com>
- Date: Wed, 30 May 2018 07:25:49 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 30 May 2018 14:26:16 UTC
I'm currently implementing Firebase to send Webpush notification on a not fully HTTPS webapp. As webpsuh is using service worker which need HTTPS, I did some research to better understand how to use them and on [Google Developers website](https://developers.google.com/web/fundamentals/primers/service-workers/) I've found: > You can only register service workers on pages served over HTTPS, so we know the service worker the browser receives hasn't been tampered with during its journey through the network. Does this means it is possible to register a service worker from a HTTPS page **even though the rest of the website is HTTP** ? I've came across the issue https://github.com/w3c/ServiceWorker/issues/199 and @jyasskin's comment : > If the page requesting the SW isn't secure, and the SW is https but on an attacker-controlled domain, you haven't gained anything at all. Yes, the whole app will need to be https. But because this was said before the specs around HTTP/HTTPS were done, I've been wondering if, in the final way service workers are implemented, the whole app has to be https? Thanks in advance for any clarification ! -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1317
Received on Wednesday, 30 May 2018 14:26:16 UTC