This looks like a CSP issue. The error is 0x805e0006 -> NS_ERROR_CONTENT_BLOCKED. It comes from the following spot https://searchfox.org/mozilla-central/rev/7d0c94a0e9a9fe1f83553f49b10128567d21709d/dom/security/nsContentSecurityManager.cpp#593 The reason we go into the if block is because `NS_CP_REJECTED(shouldLoad)` is true, so that means NS_CheckContentLoadPolicy rejected the load. (note: I have been using https://app.starbucks.com/ to test this, because it doesn't require signing in to anything to install the service worker). If I log the policy which led to rejecting the script load, it is: > default-src 'self' https://*.starbucks.com https://*.starbucksassets.com; child-src 'self' https://*.starbucks.com https://*.americanexpress.com https://*.chase.com https://*.doubleclick.net https://*.facebook.com https://*.mastercard.com https://masterpass.com https://*.masterpass.com https://*.optimizely.com https://*.paypal.com https://*.visa.com; connect-src 'self' ws: https://*.starbucks.com https://*.starbucksassets.com https://*.akamaihd.net https://*.akstat.io https://*.doubleclick.net https://*.facebook.com https://*.go-mpulse.net https://*.google-analytics.com https://*.iesnare.com wss://mpsnare.iesnare.com https://*.mastercard.com https://*.mparticle.com https://*.nr-data.net https://*.optimizely.com https://*.paypal.com https://thm.visa.com https://*.zeronaught.com; font-src 'self' data: https://*.starbucks.com https://*.starbucksassets.com https://fonts.gstatic.com; img-src 'self' data: https://*.starbucks.com https://*.starbucksassets.com https://*.adsrvr.org https://*.agkn.com https://*.akamaihd.net https://*.bing.com https://*.demdex.net https://*.doubleclick.net https://*.facebook.com https://*.google.com https://*.google-analytics.com https://*.googleapis.com https://*.googletagmanager.com https://*.gstatic.com https://*.marinsm.com https://masterpass.com https://*.masterpass.com https://*.mparticle.com https://*.nr-data.net https://bs.serving-sys.com https://*.visa.com; media-src 'self' data: https://*.starbucks.com https://*.starbucksassets.com https://*.iesnare.com; object-src 'self' https://*.starbucks.com https://thm.visa.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.starbucks.com https://*.starbucksassets.com https://*.aexp-static.com https://s3.amazonaws.com https://*.akamaihd.net https://*.bing.com https://*.chase.com https://*.doubleclick.net https://*.facebook.net https://*.go-mpulse.net https://*.google.com https://*.google-analytics.com https://*.googleadservices.com https://*.googleapis.com https://*.googletagmanager.com https://*.iesnare.com https://*.mastercard.com https://masterpass.com https://*.masterpass.com https://*.mparticle.com https://*.newrelic.com https://*.nr-data.net https://*.optimizely.com https://*.paypal.com https://*.visa.com; style-src 'self' 'unsafe-inline' https://*.starbucks.com https://*.starbucksassets.com https://*.google.com https://fonts.googleapis.com; report-uri https://app.starbucks.com/webhooks/csp-report This CSP is defined in the response headers of every response coming from https://app.starbucks.com/ On the other hand, if we look at the origin of the load: - https://searchfox.org/mozilla-central/source/devtools/server/startup/worker.js#37 - https://searchfox.org/mozilla-central/source/dom/webidl/WorkerDebuggerGlobalScope.webidl#15 - https://searchfox.org/mozilla-central/source/dom/workers/WorkerScope.cpp#1013 - https://searchfox.org/mozilla-central/source/dom/workers/ScriptLoader.cpp#2353 So I think we end up calling ScriptLoader::Load, and this fails. But interestingly, we have already loaded a script in this worker, because `server/startup/worker.js` already runs in the worker thread. The difference is that this is "main script" and it was loaded via ScriptLoader::LoadMainScript. Trying to understand the differences between a regular "DebuggerScript" script and a "main" script, I tried replacing a few "is main script" checks by "is main script or is debugger script". Changing the following on in `LoadAllScripts` seems to do the trick: https://searchfox.org/mozilla-central/rev/7d0c94a0e9a9fe1f83553f49b10128567d21709d/dom/workers/ScriptLoader.cpp#2212 ```cpp if (!aIsMainScript) { clientInfo = aWorkerPrivate->GetClientInfo(); controller = aWorkerPrivate->GetController(); } ``` But I'm of course missing context on the potential implications of such a change. (In reply to :Harald Kirschner :digitarald from comment #6) > Logs from the first attempt (they don't show up on second tries): > > This works fine with service-worker debugging (`devtools.debugger.features.windowless-service-workers`) on, so bug 1603190 might also fix this. It wouldn't fix the issue here, it would provide a workaround. The feature would still be broken in about:debugging.
Bug 1618546 Comment 7 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
This looks like a CSP issue. The error is 0x805e0006 -> NS_ERROR_CONTENT_BLOCKED. It comes from the following spot https://searchfox.org/mozilla-central/rev/7d0c94a0e9a9fe1f83553f49b10128567d21709d/dom/security/nsContentSecurityManager.cpp#593 The reason we go into the if block is because `NS_CP_REJECTED(shouldLoad)` is true, so that means NS_CheckContentLoadPolicy rejected the load. (note: I have been using https://app.starbucks.com/ to test this, because it doesn't require signing in to anything to install the service worker). If I log the policy which led to rejecting the script load, it is: > default-src 'self' https://*.starbucks.com https://*.starbucksassets.com; child-src 'self' https://*.starbucks.com https://*.americanexpress.com https://*.chase.com https://*.doubleclick.net https://*.facebook.com https://*.mastercard.com https://masterpass.com https://*.masterpass.com https://*.optimizely.com https://*.paypal.com https://*.visa.com; connect-src 'self' ws: https://*.starbucks.com https://*.starbucksassets.com https://*.akamaihd.net https://*.akstat.io https://*.doubleclick.net https://*.facebook.com https://*.go-mpulse.net https://*.google-analytics.com https://*.iesnare.com wss://mpsnare.iesnare.com https://*.mastercard.com https://*.mparticle.com https://*.nr-data.net https://*.optimizely.com https://*.paypal.com https://thm.visa.com https://*.zeronaught.com; font-src 'self' data: https://*.starbucks.com https://*.starbucksassets.com https://fonts.gstatic.com; img-src 'self' data: https://*.starbucks.com https://*.starbucksassets.com https://*.adsrvr.org https://*.agkn.com https://*.akamaihd.net https://*.bing.com https://*.demdex.net https://*.doubleclick.net https://*.facebook.com https://*.google.com https://*.google-analytics.com https://*.googleapis.com https://*.googletagmanager.com https://*.gstatic.com https://*.marinsm.com https://masterpass.com https://*.masterpass.com https://*.mparticle.com https://*.nr-data.net https://bs.serving-sys.com https://*.visa.com; media-src 'self' data: https://*.starbucks.com https://*.starbucksassets.com https://*.iesnare.com; object-src 'self' https://*.starbucks.com https://thm.visa.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://*.starbucks.com https://*.starbucksassets.com https://*.aexp-static.com https://s3.amazonaws.com https://*.akamaihd.net https://*.bing.com https://*.chase.com https://*.doubleclick.net https://*.facebook.net https://*.go-mpulse.net https://*.google.com https://*.google-analytics.com https://*.googleadservices.com https://*.googleapis.com https://*.googletagmanager.com https://*.iesnare.com https://*.mastercard.com https://masterpass.com https://*.masterpass.com https://*.mparticle.com https://*.newrelic.com https://*.nr-data.net https://*.optimizely.com https://*.paypal.com https://*.visa.com; style-src 'self' 'unsafe-inline' https://*.starbucks.com https://*.starbucksassets.com https://*.google.com https://fonts.googleapis.com; report-uri https://app.starbucks.com/webhooks/csp-report This CSP is defined in the response headers of every response coming from https://app.starbucks.com/ On the other hand, if we look at the origin of the load: - https://searchfox.org/mozilla-central/source/devtools/server/startup/worker.js#37 - https://searchfox.org/mozilla-central/source/dom/webidl/WorkerDebuggerGlobalScope.webidl#15 - https://searchfox.org/mozilla-central/source/dom/workers/WorkerScope.cpp#1013 - https://searchfox.org/mozilla-central/source/dom/workers/ScriptLoader.cpp#2353 So I think we end up calling ScriptLoader::Load, and this fails. But interestingly, we have already loaded a script in this worker, because `server/startup/worker.js` already runs in the worker thread. The difference is that this is "main script" and it was loaded via ScriptLoader::LoadMainScript. Trying to understand the differences between a regular "DebuggerScript" script and a "main" script, I tried replacing a few "is main script" checks by "is main script or is debugger script". Changing the following one in `LoadAllScripts` seems to do the trick: https://searchfox.org/mozilla-central/rev/7d0c94a0e9a9fe1f83553f49b10128567d21709d/dom/workers/ScriptLoader.cpp#2212 ```cpp if (!aIsMainScript) { clientInfo = aWorkerPrivate->GetClientInfo(); controller = aWorkerPrivate->GetController(); } ``` But I'm of course missing context on the potential implications of such a change. (In reply to :Harald Kirschner :digitarald from comment #6) > Logs from the first attempt (they don't show up on second tries): > > This works fine with service-worker debugging (`devtools.debugger.features.windowless-service-workers`) on, so bug 1603190 might also fix this. It wouldn't fix the issue here, it would provide a workaround. The feature would still be broken in about:debugging.