Responding to cross-origin requests using a worker? #130
Comments
|
There's a subtle difference between simply responding to a cross-origin request and responding to a cross-origin request that is embedded in a same-origin page. ServiceWorkers handle the latter case: If a given page at http://domain.com/ requests http://a.domain.com/img.jpeg, then a service worker registered for "http://domain.com/*" will have the opportunity to intercept. On the other hand, if a page at http://a.domain.com/index.html requests http://domain.com/img.jpeg, then that same service worker will NOT be invoked. The pattern matches the toplevel document, NOT the subresource. (And you can substitute a.domain.com for any other domain like foo.com as well) |
|
I assume iframes are a special case here? You don't want the service worker to fake data whose "src" is set to a different origin? |
|
There's some confusion around this issue – @jakearchibald said, during my ServiceWorker talk on Thursday, that the worker can intercept x-origin requests, but the API for manipulating responses will be severely limited. I'll open an issue to explicitly clarify. |
|
Actually, looking again, the spec has something to say on this:
The implication there is that, becuase not being able to make different-origin resources offlineable would be very limiting, they can be intercepted by fetch events. |
|
I'm starting to get confused... If a.com set a SW, could a page on
|
|
Not certain of what you mean, but I think the answer is this: ServiceWorkers are able to make requests according to the same security restrictions as a page. So, they can make a x-origin request (xhr, I'm not entirely clear on whether a resource request from Edit: Actually, on second thoughts, I am. Your ServiceWorker, when requesting a resource from another domain, will not hit that domain's ServiceWorker: there's no document to associate the ServiceWorker with - it's just a resource request. |
I'm not talking about having both a.com & b.com their own SW what would |
|
Ah. Cross-origin ServiceWorkers are a definite no-no:
There's some notes underneath this, but for now it's best to assume no, afaik. |
|
That link and paragraph talks about installing a SW hosted on a different What I'm talking about is if a domain (for example, 'shop.com') install a
|
|
Looks like you missed the edit on my comment:
|
|
Yes, I missed your edit, sorry. So, seems that the answer is "no" :-/ This Send from my Samsung Galaxy Note II
|
|
S'all good. Yep – no it is, and I'm not sure I agree this is not desired. The point of ServiceWorker is that it's associated with one or more documents, and enables you, as the application author, to have programmatic access to durable caches and network access associated with your application. The use-case you talk about, where your app links to a resource of another application, doesn't make sense for that model. There are kind of two answers, imo:
|
But what's happen if I'm developing and app, and want to offer my functionality to other apps? I could be able to use WebIntents and so, but the easiest way it's having a REST API. This require to have a web server, and the user to be online, but some functionality could be also being done client side.
I'm not so much interested on my app linking to a resource of another application, but instead on offer that resource to other apps without needing a central web server/web service, and how could I make it as easy as possible to link it to the ones that want to do it (a plain HTTP request would be ideal). Allowing to my app to install a ServiceWorker that others could use (one thing I've always though it was possible to do from my interpretation of the spec) is the best and easiest solution to do it.
I can't be able to cache the content when it's dinamically generated. On my personal use case, I intent to use the ServiceWorker as the entry point for a WebRTC based P2P network. This service worker would be "running" on background just like UNIX services or daemons do (as I always understood ServiceWorkers would work), but also random "client apps" (the third party, cross origin web pages) could connect to that "daemons" sending request to their REST APIs, only that instead of being processed by real web servers, since the "daemon" ServiceWorker is installed it could intercept and process the fetch and decide itself if it should do a real request to the web server, send it from it's own cache, or as in my personal use case, generate the response dinamically (in my case, add a file to the download queue, or fetching the content from the P2P network). I have been testing and asking for several alternatives, and ServiceWorkers allowing fetch request from third party web pages (the "client apps") is the easiest, powerful and elegant of the solutions. In second place is ask to the user to run the service in a localhost server (if written in Node.js, the code would be almost the same, only difference would the context, a ServiceWorker vs an independent process), that's not so easy nor usually you have the system permissions to do it, and the third one is about requesting to the user to install a browser plugin similar to the Ubuntu Unity integration one instead of a ServiceWorker, that you could agree it's fairly worst not only from the user experience point of view (install a plugin? For what? No, thanks) but also for developers (not transparent integration, one plugin per browser...).
It falls in the same area of REST web services, that if it's down, it doesn't work and request fails. Only difference is that the request is procesed locally by a CORS ServiceWorker instead of remotely by a CORS web service. |
|
@devd Yeah, ifames are a navigate, not a resource fetch, so they'll act like full-page navigates. |
|
Just to confirm, if you make a cross-origin request from a page, it will go through the service worker that manages the page. If there's a service worker registered for the url on the other domain, it will not go the other domain's service worker. I'm open to use-cases here, but I don't think @piranna's REST example is one. Say your site, http://example.com, which has a service worker, makes requests to http://api.jakearchibald.com, which also has a service worker. Let's assume that unhandled requests go through the service worker of the other domain (which they don't). First problem: how is the service worker registered for http://api.jakearchibald.com? Perhaps the root page of http://api.jakearchibald.com contains: <script>navigator.registerServiceWorker('/*', 'ctrl.js');</script>…but who visits the root page of an API domain? Maybe you'd have a hidden iframe on your page pointing to http://api.jakearchibald.com to bootstrap the worker. There's a better way to get this behaviour already, in your worker you'd include: importScripts('http://api.jakearchibald.com/ctrl.js');…which would add listeners for it's API. This means it hears about all fetches, question is if this is any more dangerous than adding a script file from http://api.jakearchibald.com/ onto your page. |
Ok, I see where's the problem: it's like you said, only that in my use case, example.com does NOT have a service worker, the only one here is the SW from apo.jakearchibald.com.
Really good question... You are assuming API is on 'api.jakearchivald.com' (a sub-domain), but what about being the API endpoint at 'jakearchivald.com/api'? This way it could work, both registering the SW at '/*' or better at '/api' (that's what I was thinking for)...
Little hackerish, isn't it? :-/
Here you asume that the dev of example.com would include the api script of jakearchivald.com, but my intention is to be used from elsewere, also as links on a forum or similar. I'm with exams, but I'll try to find some time to do a thoroughly in detail explanation of my use case and publish it so we can all be sure we are talking about the same, and also you could send me suggestions if you think there are better solutions. |
That doesn't matter, the issues I point out still apply even if the page's domain doesn't have a service worker at all.
Not really, you're still depending on a visitor to your site having visited mine in order to get the worker registration.
Links on a forum would be fine, as clicking a link causes a navigation, so that will use the service worker of the destination url. |
|
|
Nah, any requests which are part of the page (images, xhr, js, css etc) will go through the serviceworker of the current page. For registerProtocolHandler, if it redirects to an http(s) page, it'll use the serviceworker of the destination page. |
Great then, I think I could do it the way I intended (registerProtolHandler By the way, we should write clear this points and this definitions |
|
@piranna – would you mind replying on Github? Your email replies are very hard to read! |
|
Sorry @PhUU, I didn't know they were looking so ugly. I'll do it here from now. |
|
@jakearchibald, @ all; Anyone can solve chrome ext crossorigin serviceworker? |
I was wondering how this situation was possible:
It seems to me that a service worker can only reply to requests to its own server, and all those requests are by definition same-origin.
Or can a worker installed from "domain.com" reply to a request of "a.domain.com" to a resource of "b.domain.com"? Even if so, my interpretation is that the "same origin" in this case is still "b.domain.com" and not "a.domain.com" or "domain.com".
What was the intent here?
The text was updated successfully, but these errors were encountered: