[w3c/ServiceWorker] CORS preflight for static import in a module service worker (#1574) from Asami on 2021-03-17 (public-webapps-github@w3.org from March 2021)

From: Asami <notifications@github.com>
Date: Wed, 17 Mar 2021 01:00:38 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1574@github.com>

A static import for a cross-origin script in a module service worker causes a CORS preflight due to the added "Service-Worker" header (specified in https://w3c.github.io/ServiceWorker/#update-algorithm). Hence the fetch operation will fail unless the remote server handles CORS preflight correctly.

For example, assume there is a service worker script like this

```
// https://a.com/sw.js

import "https://b.com/cross-origin-script.js";
```

and if https://b.com/cross-origin-script.js doesn’t have “Access-Control-Allow-Headers: service-worker” and “Access-Control-Allow-Origin: a.com“, the registration of sw.js will fail with the following error:

> "Access to script at 'https://b.com/cross-origin-script.js’ from origin 'https://a.com' has been blocked by CORS policy: Request header field service-worker is not allowed by Access-Control-Allow-Headers in preflight response."

(Tested it on Chrome)

I think it’s confusing behavior so I’d like to suggest the following options:

1) Keep the current behavior and a cross-origin script should explicitly return “Access-Control-Allow-Headers: service-worker” in its response.

2) Add “Service-Worker” to “CORS-safelisted request-header”.

3) Do not add the "Service Worker: script" header to import scripts.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1574

Received on Wednesday, 17 March 2021 08:00:51 UTC