Re: [w3c/ServiceWorker] Allow the service worker to work in the background without stopping for installed PWA (Issue #1728)

yoshisatoyanagisawa left a comment (w3c/ServiceWorker#1728)

I understand the desire for PWA background capabilities closer to native apps. However, allowing persistent Service Worker execution poses significant security and privacy risks due to fundamental differences in how PWAs and native apps operate.

Why it's Different for PWAs:
1. **User Expectations & Control**: Users expect web activity to end when a tab closes. Unlike native apps with clear OS-level permissions and controls, a continuously running Service Worker would violate this expectation, making it hard for users to know or control what's happening in the background, risking covert data collection.

2. **Ease of Abuse**: Native apps go through app store vetting. PWAs, like any website, are easily distributed without such reviews. Granting persistent background access could turn this ease into a vulnerability, making it simple for malicious PWAs to form botnets, persistently steal data, or excessively drain resources without immediate detection or control.

3. **Browser's Role**: The browser manages resources for all web content. Unrestricted background PWAs would overwhelm this management, jeopardizing overall web performance and stability. Native apps rely on the OS for this governance, a level of control the browser doesn't have over web content.

In essence, while more background capabilities are appealing, persistent Service Workers introduce disproportionately higher risks to user security, privacy, and device performance within the current web model. The existing event-driven Service Worker design is a crucial balance to mitigate these dangers.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1728#issuecomment-3125176280
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/issues/1728/3125176280@github.com>