- From: Asami <notifications@github.com>
- Date: Wed, 17 Mar 2021 01:00:38 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/ServiceWorker/issues/1574@github.com>
A static import for a cross-origin script in a module service worker causes a CORS preflight due to the added "Service-Worker" header (specified in https://w3c.github.io/ServiceWorker/#update-algorithm). Hence the fetch operation will fail unless the remote server handles CORS preflight correctly. For example, assume there is a service worker script like this ``` // https://a.com/sw.js import "https://b.com/cross-origin-script.js"; ``` and if https://b.com/cross-origin-script.js doesn’t have “Access-Control-Allow-Headers: service-worker” and “Access-Control-Allow-Origin: a.com“, the registration of sw.js will fail with the following error: > "Access to script at 'https://b.com/cross-origin-script.js’ from origin 'https://a.com' has been blocked by CORS policy: Request header field service-worker is not allowed by Access-Control-Allow-Headers in preflight response." (Tested it on Chrome) I think it’s confusing behavior so I’d like to suggest the following options: 1) Keep the current behavior and a cross-origin script should explicitly return “Access-Control-Allow-Headers: service-worker” in its response. 2) Add “Service-Worker” to “CORS-safelisted request-header”. 3) Do not add the "Service Worker: script" header to import scripts. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1574
Received on Wednesday, 17 March 2021 08:00:51 UTC