- From: Daniel Abrecht <notifications@github.com>
- Date: Tue, 04 Feb 2025 12:23:38 -0800
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 4 February 2025 20:23:42 UTC
I don't care all that much how it'll work in the end. However, I proposed a header because the server delivering the site will be in control of setting them, and the browser can enforce them. The scripts run on the site can then not circumvent that. I don't think having it controlled on the client side by a script will work for me. After all, my use case is so that the site can't install a service worker and use it to get the token sent to the well known location. If the exclusion is set by a script on the client side, then such a script could also simply not set that exclusion, circumventing the protection it was meant to provide. Maybe another idea would be to just define a fixed location that can never be handled by a service worker. If it was defined that, for example, `.well-known/secret/*` was never handled by a worker, then I could simply put an endpoints there when I want to be sure of that. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/ServiceWorker/issues/1690#issuecomment-2634981060 You are receiving this because you are subscribed to this thread. Message ID: <w3c/ServiceWorker/issues/1690/2634981060@github.com>
Received on Tuesday, 4 February 2025 20:23:42 UTC