Re: [w3c/ServiceWorker] Registering service workers for unique origins? (#1437) from Jake Archibald on 2019-09-15 (public-webapps-github@w3.org from September 2019)

From: Jake Archibald <notifications@github.com>
Date: Sun, 15 Sep 2019 01:24:53 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1437/531545656@github.com>

Thoughts for TPAC:

* Does this have a use outside of wrapped apps?
* It feels like this has a lot of the same "opaque vs visible" difficulties as foreign fetch. Eg, if the untrusted content fetches something from the parent origin? Right now that will be seen as cross-origin, but with a service worker in the middle, controlled by the parent, it could be seen as a same origin response.
* We'd need the concept of opaque-origin-but-created-from-non-opaque-content. Eg, we can't let `evil.com` create a service worker that picks up requests made by `<iframe sandbox href="https://example.com">`.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1437#issuecomment-531545656

Received on Sunday, 15 September 2019 08:25:15 UTC