Re: [w3c/ServiceWorker] Is it possible to serve service workers from CDN/remote origin? (#940) from Malthe Jørgensen on 2018-10-12 (public-webapps-github@w3.org from October 2018)

From: Malthe Jørgensen <notifications@github.com>
Date: Fri, 12 Oct 2018 01:45:30 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/940/429252109@github.com>

@annevk I might be misunderstanding, but I believe the trouble really lies with the ServiceWorker spec, in that it mostly makes `worker-src` superfluous (have no effect). Whereas the better solution would be to have the `worker-src` default to `'self'` which matches the current behavior of the ServiceWorker spec, but also makes it overridable similar to how CORS headers can allow certain behaviors that are disabled by default.

Currently, the `worker-src` can't be used to allow behavior – it can only restrict – because of the way the ServiceWorker spec is written. This goes against expected behavior when comparing to other CSP directives and CORS. 

See: https://github.com/w3c/webappsec-csp/issues/130#issuecomment-254734072

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/940#issuecomment-429252109

Received on Friday, 12 October 2018 08:45:52 UTC