On Fri Nov 14 2014 at 11:10:13 Mike West <mkwst@google.com> wrote: > > To fix this, I suggest adding an additional step along the lines of >> "If any service worker was registered, then return blocked" before "If >> request’s mode is CORS or CORS-with-forced-preflight, return blocked." >> > > If a website can request a particular video/audio/image, then it's not > clear that a Service Worker shouldn't be able to do the same (with UI > degradation, as appropriate). Jake (CC'd) has harangued me with the example > of a podcasting app, for instance: it's absolutely something we'd want to > see work offline, and the <audio> tag is perfectly capable of playing back > insecure content. > > Should we block Service Worker from doing the same? I don't think that's > as clear-cut as you suggest. > Also, one of the bad things about appcache is a valid but otherwise empty manifest makes massive changes to the behaviour of the page. No subresources will load, and the page pointing to the manifest will be cached. This is terrible & we want to avoid doing the same with ServiceWorker, an empty-but-valid ServiceWorker should have no impact on the loading of the page and resources. >
Received on Friday, 14 November 2014 15:48:40 UTC