Closed Bug 1236941 Opened 9 years ago Closed 9 years ago

Local Service Worker fails to register in a file:// URL : "SecurityError: The operation is insecure"

Categories

(Core :: General, defect)

Product:
Core
Component:
General
Version:
45 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: mossroy, Unassigned)

Details

Attachments

(1 file)

Test-case to show the serviceworker failing to register
771 bytes, application/gzip
Details 
We need to be able to use a ServiceWorker launched from a local file (an HTML file opened through a file:// URL).
This would allow a simple way to have local HTML pages that have an offline mode.
We have a use-case for an offline wikipedia reader (where the ServiceWorker would read the content locally instead of reading it from the Internet).

But the ServiceWorker fails to register, with a "SecurityError: The operation is insecure"

Steps to reproduce :
- open the attached test-case, and unzip it on your local filesystem
- open the index.html in a Firefox with ServiceWorkers enabled (for example Firefox dev edition>=45)

Expected behavior : the ServiceWorker registers
Actual behavior : the ServiceWorker fails to register

Workaround : install a local webserver on your computer, and access the HTML/js files through it (through a http://localhost URL).

NB : the behavior is the same on Chromium 47. If this behavior is on purpose, I don't see what is the security issue behind that?
Ben, do you know if this is by design?
Flags: needinfo?(bkelly)
This is per spec.  See step 6 of register():

  https://slightlyoff.github.io/ServiceWorker/spec/service_worker/index.html#navigator-service-worker-register

This has been a long standing restriction for service workers.  For example, the Cache API has always blocked file:// URIs.

Generally these restrictions are for safety.  For example, if we allowed a service worker to run from a local file system, then it could be configured to perform work in the background.  In addition, it would have access to potentially the entire file system in the background.  Right now we're not comfortable with this possibility.

If you want to do local testing you can start a local http server and use http://localhost/index.html.  (This is more secure because the local web server will likely only have access to a particular directory tree, not the entire file system.)  Setting this up is pretty easy to do in a number of ways.  For example, if you have python you can just run "python -m SimpleHTTPServer" in the same directory as your files.

If you would like to argue for opening up file:// URIs, please file a spec issue here:

  https://github.com/slightlyoff/ServiceWorker/issues
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(bkelly)
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: