[w3c/ServiceWorker] Can HTTPS traffic without origin header be intercepted by Service Worker (Issue #1654)

Trying to intercept HTTPS traffic with SW but saw behavior for which couldn't find any documentation
HTTPS Proxy used: Fiddler 
Test Application Instance: Box 
**Behavior 1:** 
Able to add a test header `test: SW` with the service worker for a request that has an origin header even though the request is cross-site.
```
GET https://cdn01.boxcdn.net/enduser/uploads-manager-enduser.cef7c6a861.js HTTP/1.1
Host: cdn01.boxcdn.net
Connection: keep-alive
sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
Origin: https://demodeepak.app.box.com/
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: script
Referer: https://demodeepak.app.box.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
test: SW
```
**Behavior 2:** 
Unable to add the same test header with the service worker for a request that does not have an origin header and the request is cross-site.
```
GET https://dl.boxcloud.com/zip_download/zip_download?ProgressReportingKey=2A124336F0C2E2B206709C5F26FAEE86&d=123548616116&ZipFileName=boxnote%20rproxy.zip&Timestamp=1658732956&AuthCode=dQLo4nEqSPrS7CHyBuq6MhRsBIymdpF6&HMAC2=07bdc53a6ae389a2b253e4caab9d3b482fc69d67d30efc7ec4503968f3dd1243 HTTP/1.1
Host: dl.boxcloud.com
Connection: keep-alive
sec-ch-ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: https://demodeepak.app.box.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
```
Can anybody help me understand what  is the expected behavior

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1654
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/1654@github.com>

Received on Wednesday, 27 July 2022 12:47:45 UTC