Re: [w3c/ServiceWorker] Registering service workers for unique origins? (#1437) from Andrea Canciani on 2024-05-04 (public-webapps-github@w3.org from May 2024)

From: Andrea Canciani <notifications@github.com>
Date: Sat, 04 May 2024 10:02:09 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1437/2094302859@github.com>

> Thoughts for TPAC:
> 
> * Does this have a use outside of wrapped apps?

I am hacking on a webapp to display archived webpages from MAFF or WARC files (so in a sense I would use to handle "wrapped webapps").
While many websites are obviously too dynamic to be archived, other are basically designed to allow for this (see PWAs).
OTOH I am currently facing some concerns regarding the best way to keep each of them isolated (not sharing localStorage, caches, ...).

> * It feels like this has a lot of the same "opaque vs visible" difficulties as foreign fetch. Eg, if the untrusted content fetches something from the parent origin? Right now that will be seen as cross-origin, but with a service worker in the middle, controlled by the parent, it could be seen as a same origin response.

In my use case, I would never perform a fetch from the service worker directly. Instead I would either:
 - generate data from within the SW (typically extracting the file from the bundle)
 - ask another context to provide data (for example by posting a message to a `Client`)

> * We'd need the concept of opaque-origin-but-created-from-non-opaque-content. Eg, we can't let `evil.com` create a service worker that picks up requests made by `<iframe sandbox href="https://example.com">`.

IIUC for the problem stated by the OP this might not even be needed, as the service worker they are registering is only supposed to handle requests made by `<iframe sandbox href="your-opaque-origin-worker-url">`. Conversely, requests from `<iframe sandbox href="https://example.com">` would still be handled normally (by the `https://example.com` SW, if it exists).

Short-term, I am planning to try and (ab)use wildcard domain names to "generate" unique origins. This makes setting up the RPC between the SW and embedder non-trivial and requires an ad-hoc configuration on the server side.

What might be the best way to move forward with this issue?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1437#issuecomment-2094302859
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/1437/2094302859@github.com>

Received on Saturday, 4 May 2024 17:02:13 UTC