Re: SRI, cache validation and ServiceWorkers from Jake Archibald on 2014-05-19 (public-webappsec@w3.org from May 2014)

From: Jake Archibald <jaffathecake@gmail.com>
Date: Mon, 19 May 2014 14:02:14 +0100
To: public-webappsec@w3.org
Message-ID: <CAJ5xic_YsmGZC1YMpLxB=pRrLKLuEVAXjMkTx+fL8c6-R+33TQ@mail.gmail.com>

This sounds very similar to where we got with HTTP serviceworkers. We had:

* Revalidate SW on navigation, regardless of cache headers
* Treat any non-valid response as an immediate SW unregistration

We defined "valid" as HTTP 200, JS content type, & identical content or
successful install.

I like the idea of "disabling" rather than immediate unregistration.

The captive portal thing is a big problem. Say…

* I'm at an airport
* I go the Tripit site
* It loads via its serviceworker
* Browser checks for updates to SW
* It gets a 302, due to a captive portal, SW gets disabled
* I click "Show current trip" on tripit and get thrown to the captive
portal, as the SW is gone

At this point, I can't get access to my flight details unless I pay the
captive portal for access.

Received on Monday, 19 May 2014 13:02:47 UTC