- From: Mart Roosmaa <notifications@github.com>
- Date: Wed, 30 May 2018 15:10:07 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 30 May 2018 22:10:30 UTC
Currently the service worker [update algorithm](https://w3c.github.io/ServiceWorker/#update-algorithm) specifies that the _request_’s _service-workers mode_ should be set to "none", which prevents the currently active service worker from intercepting this request (if I understand the specs correctly). I tried finding the reason behind that decision, but couldn't find any discussions around that. So I'm guessing this is mostly to prevent people from accidentally shooting themselves into the foot and creating a service worker that accidentally caches itself. I would like to propose that there should be a way to force the update algorithm to route its requests through the currently active service worker. Having such an option would allow security critical websites to use the service worker to implement public-key digital signature verification for data/code that is downloaded. It would be a way to protect against compromised CDN, DNS servers and BGP hijacking. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1318
Received on Wednesday, 30 May 2018 22:10:30 UTC