Re: [w3c/ServiceWorker] Preventing server-forced updates (#822)

> I can't quite get my dead around the use cases.

The exact use case @mappum was describing seems to be what [is being discussed over here](https://community.signalusers.org/t/web-app-for-signal/1272/21). Although I can imagine not only E2EE apps require this. Almost any downloaded application uses codesigning to verify updates nowadays.
Servide Workers require https by default which I guess is the reason why code signed updates aren't really a thing on the web, and perhaps they're not really necessary. But I belive some applications could still benefit from this.

Perhaps being able to prevent server-forced updates is too generic. Maybe what we need here is something more specific to code signing updates. So that only Service Workers that make use of code signing may prevent server forced updates.
I'm not really sure how this would work though, because that way a malicious script could still block a Service Worker from getting updated by introducing code signing for the first time.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/822#issuecomment-575940875

Received on Saturday, 18 January 2020 21:41:34 UTC