Closed Bug 1869108 Opened 1 year ago Closed 1 year ago

Service worker is created in insecure contexts - regression?

Categories

(Core :: DOM: Service Workers, defect, P3)

Product:
Core
Component:
DOM: Service Workers
Version:
Firefox 120
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: ivan.zderadicka, Unassigned)

Details

Steps to reproduce:

Go to site with service worker via insecure context, e.g:

  • plain http not https
  • not localhost

Actual results:

Serviceworker was registered for this site in insecure context. But global caches are not available in browser insecure contexts (undefined as expected per documentation, but they are available in secure context as usual).
I was detecting availability of service worker and then assumed that I'm in secure context and both caches and service worker are fine to use.
Now it behaves differently with Firefox v.120. It's a regression, because in previous versions service worker was not available in insecure context.

Chromium is fine and works as expected.

Expected results:

Service worker should not be available in insecure contexts,.

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Service Workers' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → DOM: Service Workers
Product: Firefox → Core

Reporter, do you have exact steps to reproduce this?

Andrew, do you recall anything which could have changed the behavior?

Severity: -- → S3
Flags: needinfo?(ivan.zderadicka)
Flags: needinfo?(bugmail)
Priority: -- → P3

I'm not seeing this reproduce. Possible explanations the reporter could be experiencing this are:

  • devtools has a setting "Enable Service Workers over HTTP (when toolbox is open)" which corresponds to the devtools.serviceWorkers.testing.enabled pref that explicitly makes it possible to test ServiceWorkers in this way.
  • We also have a testing pref devtools.serviceWorkers.testing.enabled that makes it possible to use ServiceWorkers in insecure contexts.

Note that these preferences can make it possible to end up in a weird state where the preference enabled a ServiceWorker to be installed in the past that's still installed even if the preferences aren't currently active. If attempting to reproduce, it's probably ideal to start with a fresh profile.

In the interest of avoiding confusion, I'm going to mark this as WORKSFORME based on my inability to reproduce, but obviously this would be a serious concern if it reproduces, so I will be paying attention to the bug when the reporter responds to :smaug's needinfo.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Flags: needinfo?(bugmail)
Resolution: --- → WORKSFORME

I did have "Enable Service Workers over HTTP (when toolbox is open)" so I guess it might be the cause.
Though I do not remember to change it, however as said it's used only if toolbox is opened, some maybe I opened it recently, behavior of app changed, I attributed it to new version of FF.

It's bit of confusing ...

Flags: needinfo?(ivan.zderadicka)
You need to log in before you can comment on or make changes to this bug.