diff --git a/docs/index.bs b/docs/index.bs
index 6ba1923c..61d56771 100644
--- a/docs/index.bs
+++ b/docs/index.bs
@@ -156,7 +156,7 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe
A script resource has an associated referrer policy (a [=/referrer policy=]). It is initially the empty string.
- A [=/service worker=] has an associated script resource map which is an ordered map where the keys are [=/URLs=] and the values are [=/responses=].
+ A [=script resource=] has an associated imported scripts map which is an ordered map where the keys are [=/URLs=] and the values are [=/responses=].
A [=/service worker=] has an associated skip waiting flag. Unless stated otherwise it is unset.
@@ -2159,10 +2159,10 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe
1. Let |response| be the result of fetching |request|.
1. If |response|’s cache state is not "local
", set |registration|’s [=service worker registration/last update check time=] to the current time.
1. If |response|'s unsafe response's [=response/type=] is not "error
", and |response|'s [=response/status=] is an ok status, then:
- 1. [=map/Set=] script resource map[|request|'s [=request/url=]] to |response|
+ 1. [=map/Set=] |serviceWorker|'s [=script resource=]'s [=script resource/imported scripts map=][|request|'s [=request/url=]] to |response|.
1. Return |response|.
1. Else:
- 1. If script resource map[|url|] [=map/exists=], return script resource map[|url|].
+ 1. If |serviceWorker|'s [=script resource=]'s [=script resource/imported scripts map=][|url|] [=map/exists=], return |serviceWorker|'s [=script resource=]'s [=script resource/imported scripts map=][|url|].
1. Else, return a network error.
@@ -2190,7 +2190,7 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe
Privacy
- [=/Service workers=] introduce new persistent storage features including scope to registration map (for [=/service worker registrations=] and their [=/service workers=]), request to response map and name to cache map (for caches), and script resource map (for script resources). In order to protect users from any potential unsanctioned tracking threat, these persistent storages *should* be cleared when users intend to clear them and *should* maintain and interoperate with existing user controls e.g. purging all existing persistent storages.
+ [=/Service workers=] introduce new persistent storage features including scope to registration map (for [=/service worker registrations=] and their [=/service workers=]), request to response map and name to cache map (for caches), and [=script resource/imported scripts map=] (for script resources). In order to protect users from any potential unsanctioned tracking threat, these persistent storages *should* be cleared when users intend to clear them and *should* maintain and interoperate with existing user controls e.g. purging all existing persistent storages.
Check If Service Worker Resources Are Identical
+
+ : Input
+ :: |sourceScript|, a [=script=]
+ :: |targetScript|, a [=script=]
+ :: |registration|, a [=/service worker registration=]
+ :: |job|, a [=job=]
+ : Output
+ :: True or false, a boolean
+
+ 1. If |sourceScript| and |targetScript| are not both [=classic scripts=] or not both [=module scripts=], return false.
+ 1. If |sourceScript| is a [=classic script=], then:
+ 1. If |sourceScript|'s [=source text=] is not a byte-for-byte match with |targetScript|'s [=source text=], return false.
+ 1. Let |sourceMap| be |sourceScript|'s [=script resource/imported scripts map=].
+ 1. [=map/For each=] |url| → |response| of |sourceMap|:
+ 1. Let |request| be a new [=/request=] whose [=request/url=] is |url|, [=request/client=] is |job|'s [=job/client=], [=request/type=] is "script
", [=request/destination=] is "script
", [=request/parser metadata=] is "not parser-inserted
", [=request/synchronous flag=] is set, and whose [=request/use-URL-credentials flag=] is set.
+ 1. Set |request|'s [=request/cache mode=] to "no-cache
" if any of the following are true:
+ * |registration|'s [=service worker registration/use cache=] is false.
+ * |job|'s [=force bypass cache flag=] is set.
+ * |registration|'s [=last update check time=] is not null and the time difference in seconds calculated by the current time minus |registration|’s [=last update check time=] is greater than 86400.
+ 1. Let |targetResponse| be the result of [=fetch|fetching=] |request|.
+ 1. If |targetResponse|'s cache state is not "local
", set |registration|’s [=last update check time=] to the current time.
+ 1. Let |targetResponse| be |targetResponse|'s [=unsafe response=].
+ 1. If |targetResponse|'s [=response/type=] is "error
", or |targetResponse|'s [=response/status=] is not an [=ok status=], return false.
+ 1. If the result of [=UTF-8 decoding=] |response|'s [=response/body=] is not a byte-for-byte match with the result of [=UTF-8 decoding=] |targetResponse|'s [=response/body=], return false.
+ 1. If |sourceScript| is a [=module script=], then:
+ 1. If |sourceScript|’s [=module script/module record=]'s \[[ECMAScriptCode]] is not a byte-for-byte match with |targetScript|’s [=module script/module record=]'s \[[ECMAScriptCode]], return false.
+ 1. Return true.
+ Create Client
diff --git a/docs/index.html b/docs/index.html
index 15dd160f..68af7961 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -1695,6 +1695,7 @@ Table of Contents
A script resource has an associated has ever been evaluated flag. It is initially unset.
A script resource has an associated HTTPS state (an HTTPS state value). It is initially "none
".
A script resource has an associated referrer policy (a referrer policy). It is initially the empty string.
-A service worker has an associated script resource map which is an ordered map where the keys are URLs and the values are responses.
-A service worker has an associated skip waiting flag. Unless stated otherwise it is unset.
-A service worker has an associated imported scripts updated flag. It is initially unset.
-A service worker has an associated set of event types to handle whose element type is an event listener’s event type. It is initially set to null.
-A service worker has an associated list of foreign fetch scopes whose element type is a URL. It is initially empty.
-A service worker has an associated list of foreign fetch origins whose element type is a URL. It is initially empty.
+A script resource has an associated imported scripts map which is an ordered map where the keys are URLs and the values are responses.
+A service worker has an associated skip waiting flag. Unless stated otherwise it is unset.
+A service worker has an associated imported scripts updated flag. It is initially unset.
+A service worker has an associated set of event types to handle whose element type is an event listener’s event type. It is initially set to null.
+A service worker has an associated list of foreign fetch scopes whose element type is a URL. It is initially empty.
+A service worker has an associated list of foreign fetch origins whose element type is a URL. It is initially empty.
The lifetime of a service worker is tied to the execution lifetime of events and not references held by service worker clients to the ServiceWorker
object.
A user agent may terminate service workers at any time it:
+The lifetime of a service worker is tied to the execution lifetime of events and not references held by service worker clients to the ServiceWorker
object.
A user agent may terminate service workers at any time it:
Has no event to handle.
@@ -1777,11 +1778,11 @@A service worker registration is a tuple of a scope url and a set of service workers, an installing worker, a waiting worker, and an active worker. A user agent may enable many service worker registrations at a single origin so long as the scope url of the service worker registration differs. A service worker registration of an identical scope url when one already exists in the user agent causes the existing service worker registration to be replaced.
+A service worker registration is a tuple of a scope url and a set of service workers, an installing worker, a waiting worker, and an active worker. A user agent may enable many service worker registrations at a single origin so long as the scope url of the service worker registration differs. A service worker registration of an identical scope url when one already exists in the user agent causes the existing service worker registration to be replaced.
A service worker registration has an associated scope url (a URL).
-A service worker registration has an associated installing worker (a service worker or null) whose state is installing. It is initially set to null.
-A service worker registration has an associated waiting worker (a service worker or null) whose state is installed. It is initially set to null.
-A service worker registration has an associated active worker (a service worker or null) whose state is either activating or activated. It is initially set to null.
+A service worker registration has an associated installing worker (a service worker or null) whose state is installing. It is initially set to null.
+A service worker registration has an associated waiting worker (a service worker or null) whose state is installed. It is initially set to null.
+A service worker registration has an associated active worker (a service worker or null) whose state is either activating or activated. It is initially set to null.
A service worker registration has an associated last update check time. It is initially set to null.
A service worker registration has an associated use cache (a boolean). It is initially set to false.
A service worker registration has an associated uninstalling flag. It is initially unset.
@@ -1809,16 +1810,16 @@The following additional task sources are used by service workers.
+The following additional task sources are used by service workers.
The handle fetch task source
This task source is used for dispatching fetch
events to service workers.
This task source is used for dispatching fetch
events to service workers.
The handle functional event task source
This task source is used for features that dispatch other functional events, e.g. push
events, to service workers.
This task source is used for features that dispatch other functional events, e.g. push
events, to service workers.
Note: A user agent may use a separate task source for each functional event type in order to avoid a head-of-line blocking phenomenon for certain functional events.
An installing worker does not persist but discarded. If the installing worker was the only service worker for the service worker registration, the service worker registration is discarded.
+An installing worker does not persist but discarded. If the installing worker was the only service worker for the service worker registration, the service worker registration is discarded.
A waiting worker promotes to an active worker.
A ServiceWorker
object represents a service worker. Each ServiceWorker
object is associated with a service worker. Multiple separate objects implementing the ServiceWorker
interface across documents and workers can all be associated with the same service worker simultaneously.
A ServiceWorker
object has an associated ServiceWorkerState
object which is itself associated with service worker's state.
A ServiceWorker
object represents a service worker. Each ServiceWorker
object is associated with a service worker. Multiple separate objects implementing the ServiceWorker
interface across documents and workers can all be associated with the same service worker simultaneously.
A ServiceWorker
object has an associated ServiceWorkerState
object which is itself associated with service worker's state.
scriptURL
The scriptURL
attribute must return the service worker's serialized script url.
The scriptURL
attribute must return the service worker's serialized script url.
https://example.com/app.html
which matches via the following registration call which has been previously executed:
// Script on the page https://example.com/app.html
@@ -1895,7 +1896,7 @@ <
-
If the state
attribute value of the context object is "redundant"
, throw an "InvalidStateError
" exception and abort these steps.
-
-
Let serviceWorker be the service worker represented by the context object.
+ Let serviceWorker be the service worker represented by the context object.
-
Invoke Run Service Worker algorithm with serviceWorker as the argument.
-
@@ -1970,17 +1971,17 @@
3.2.1. installing
installing
attribute must return the value to which it was last set.
- Note: The ServiceWorker
objects returned from this attribute getter that represent the same service worker are the same objects.
+ Note: The ServiceWorker
objects returned from this attribute getter that represent the same service worker are the same objects.
3.2.2. waiting
waiting
attribute must return the value to which it was last set.
- Note: The ServiceWorker
objects returned from this attribute getter that represent the same service worker are the same objects.
+ Note: The ServiceWorker
objects returned from this attribute getter that represent the same service worker are the same objects.
3.2.3. active
active
attribute must return the value to which it was last set.
- Note: The ServiceWorker
objects returned from this attribute getter that represent the same service worker are the same objects.
+ Note: The ServiceWorker
objects returned from this attribute getter that represent the same service worker are the same objects.
3.2.4. scope
@@ -2084,7 +2085,7 @@ ServiceWorkerContainer object when a Navigator
object or a WorkerNavigator
object is created and associate it with that object.
-
A ServiceWorkerContainer
provides capabilities to register, unregister, and update the service worker registrations, and provides access to the state of the service worker registrations and their associated service workers.
+ A ServiceWorkerContainer
provides capabilities to register, unregister, and update the service worker registrations, and provides access to the state of the service worker registrations and their associated service workers.
A ServiceWorkerContainer
has an associated service worker client, which is a service worker client whose global object is associated with the Navigator
object or the WorkerNavigator
object that the ServiceWorkerContainer
is retrieved from.
A ServiceWorkerContainer
object has an associated ready promise (a promise). It is initially set to a new promise.
A ServiceWorkerContainer
object has a task source called the client message queue, initially empty. A client message queue can be enabled or disabled, and is initially disabled. When a ServiceWorkerContainer
object’s client message queue is enabled, the event loop must use it as one of its task sources. When the ServiceWorkerContainer
object’s relevant global object is a Window
object, all tasks queued on its client message queue must be associated with its relevant settings object’s responsible document.
@@ -2097,7 +2098,7 @@
Return the ServiceWorker
object that represents client’s active service worker.
- Note: navigator.serviceWorker.controller
returns null
if the request is a force refresh (shift+refresh). The ServiceWorker
objects returned from this attribute getter that represent the same service worker are the same objects.
+ Note: navigator.serviceWorker.controller
returns null
if the request is a force refresh (shift+refresh). The ServiceWorker
objects returned from this attribute getter that represent the same service worker are the same objects.
3.4.2. ready
@@ -2284,7 +2285,7 @@
controllerchange
Event
- The service worker client's active service worker changes. (See step 9.2 of the Activate algorithm. The skip waiting flag of a service worker causes activation of the service worker registration to occur while service worker clients are using the service worker registration, navigator.serviceWorker.controller
immediately reflects the active worker as the service worker that controls the service worker client.)
+ The service worker client's active service worker changes. (See step 9.2 of the Activate algorithm. The skip waiting flag of a service worker causes activation of the service worker registration to occur while service worker clients are using the service worker registration, navigator.serviceWorker.controller
immediately reflects the active worker as the service worker that controls the service worker client.)
@@ -2346,8 +2347,8 @@ attribute EventHandler onmessage; // event.source of the message events is Client object
};
-
A ServiceWorkerGlobalScope
object represents the global execution context of a service worker. A ServiceWorkerGlobalScope
object has an associated service worker (a service worker). A ServiceWorkerGlobalScope
object has an associated force bypass cache for importscripts flag. It is initially unset.
- Note: ServiceWorkerGlobalScope
object provides generic, event-driven, time-limited script execution contexts that run at an origin. Once successfully registered, a service worker is started, kept alive and killed by their relationship to events, not service worker clients. Any type of synchronous requests must not be initiated inside of a service worker.
+ A ServiceWorkerGlobalScope
object represents the global execution context of a service worker. A ServiceWorkerGlobalScope
object has an associated service worker (a service worker). A ServiceWorkerGlobalScope
object has an associated force bypass cache for importscripts flag. It is initially unset.
+ Note: ServiceWorkerGlobalScope
object provides generic, event-driven, time-limited script execution contexts that run at an origin. Once successfully registered, a service worker is started, kept alive and killed by their relationship to events, not service worker clients. Any type of synchronous requests must not be initiated inside of a service worker.
4.1.1. clients
clients
attribute must return the Clients
object that is associated with the context object.
@@ -2358,7 +2359,7 @@
4.1.3. skipWaiting()
-
Note: The skipWaiting()
method allows this service worker to progress from the registration's waiting position to active even while service worker clients are using the registration.
+ Note: The skipWaiting()
method allows this service worker to progress from the registration's waiting position to active even while service worker clients are using the registration.
skipWaiting()
method must run these steps:
-
@@ -2367,7 +2368,7 @@
in parallel:
-
-
Set service worker's skip waiting flag.
+ Set service worker's skip waiting flag.
-
Resolve promise with undefined.
@@ -2946,9 +2947,9 @@
An ExtendableEvent
object has an associated extend lifetime promises (an array of promises). It is initially an empty array.
An ExtendableEvent
object has an associated extensions allowed flag. It is initially set.
- Service workers have two lifecycle events, install
and activate
. Service workers use the ExtendableEvent
interface for activate
event and install
event.
+ Service workers have two lifecycle events, install
and activate
. Service workers use the ExtendableEvent
interface for activate
event and install
event.
Service worker extensions that define event handlers may also use or extend the ExtendableEvent
interface.
- Note: To extend the lifetime of a service worker, algorithms that dispatch events using the ExtendableEvent
interface run Extend Service Worker Lifetime algorithm after dispatching the event. See Handle Fetch, Handle Foreign Fetch, and Handle Functional Event.
+ Note: To extend the lifetime of a service worker, algorithms that dispatch events using the ExtendableEvent
interface run Extend Service Worker Lifetime algorithm after dispatching the event. See Handle Fetch, Handle Foreign Fetch, and Handle Functional Event.
4.4.1. event.waitUntil(f)
waitUntil()
method extends the lifetime of the event.
@@ -2966,13 +2967,13 @@ Add f to the extend lifetime promises.
- Service workers and extensions that define event handlers may define their own behaviors, allowing the extend lifetime promises to suggest operation length, and the rejected state of any of the promise in extend lifetime promises to suggest operation failure.
- Service workers define the following behaviors for install
event and activate
event, respectively:
+ Service workers and extensions that define event handlers may define their own behaviors, allowing the extend lifetime promises to suggest operation length, and the rejected state of any of the promise in extend lifetime promises to suggest operation failure.
+ Service workers define the following behaviors for install
event and activate
event, respectively:
-
-
Adding a promise f to the event’s extend lifetime promises delays treating the installing worker as installed (i.e. a waiting worker) until all the promises in the extend lifetime promises resolve successfully. (See step 11.3.1 of Install algorithm.) If f rejects, the installation fails. This is primarily used to ensure that a service worker is not considered installed (i.e. a waiting worker) until all of the core caches it depends on are populated.
+ Adding a promise f to the event’s extend lifetime promises delays treating the installing worker as installed (i.e. a waiting worker) until all the promises in the extend lifetime promises resolve successfully. (See step 11.3.1 of Install algorithm.) If f rejects, the installation fails. This is primarily used to ensure that a service worker is not considered installed (i.e. a waiting worker) until all of the core caches it depends on are populated.
-
-
Adding a promise to the event’s extend lifetime promises delays treating the active worker as activated until all the promises in the extend lifetime promises settle. (See step 12.3 of Activate algorithm.) This is primarily used to ensure that any functional events are not dispatched to the ServiceWorkerGlobalScope
object that represents the service worker until it upgrades database schemas and deletes the outdated cache entries.
+ Adding a promise to the event’s extend lifetime promises delays treating the active worker as activated until all the promises in the extend lifetime promises settle. (See step 12.3 of Activate algorithm.) This is primarily used to ensure that any functional events are not dispatched to the ServiceWorkerGlobalScope
object that represents the service worker until it upgrades database schemas and deletes the outdated cache entries.
@@ -3037,9 +3038,9 @@
-
Set this service worker's list of foreign fetch scopes to subScopeURLs.
+ Set this service worker's list of foreign fetch scopes to subScopeURLs.
-
-
Set this service worker's list of foreign fetch origins to originURLs.
+ Set this service worker's list of foreign fetch origins to originURLs.
@@ -3064,7 +3065,7 @@ boolean isReload = false;
};
-
Service workers have an essential functional event fetch
. For fetch
event, service workers use the FetchEvent
interface which extends the ExtendableEvent
interface.
+ Service workers have an essential functional event fetch
. For fetch
event, service workers use the FetchEvent
interface which extends the ExtendableEvent
interface.
Each event using FetchEvent
interface has an associated potential response (a response), initially set to null, and the following associated flags that are initially unset:
-
@@ -3247,7 +3248,7 @@
sequence<ByteString> headers;
};
-
Service workers have a functional event foreignfetch
. For foreignfetch
events, service workers use the ForeignFetchEvent
interface which extends the ExtendableEvent
interface.
+ Service workers have a functional event foreignfetch
. For foreignfetch
events, service workers use the ForeignFetchEvent
interface which extends the ExtendableEvent
interface.
Each event using ForeignFetchEvent
interface has an associated potential response (a response), initially set to null, an associated origin (a USVString
or null), initially set to null, an associated list of exposed headers (whose element type is a byte string), initially set to an empty list, and the following associated flags that are initially unset:
-
@@ -3419,7 +3420,7 @@
sequence<MessagePort> ports = [];
};
-
Service workers define the extendable message
event to allow extending the lifetime of the event. For the message
event, service workers use the ExtendableMessageEvent
interface which extends the ExtendableEvent
interface.
+ Service workers define the extendable message
event to allow extending the lifetime of the event. For the message
event, service workers use the ExtendableMessageEvent
interface which extends the ExtendableEvent
interface.
4.8.1. event.data
The data attribute must return the value it was initialized to. When the object is created, this attribute must be initialized to null. It represents the message being sent.
@@ -3584,7 +3585,7 @@ 6.2. Understanding Cache Lifetimes
- The Cache
instances are not part of the browser’s HTTP cache. The Cache
objects are exactly what authors have to manage themselves. The Cache
objects do not get updated unless authors explicitly request them to be. The Cache
objects do not expire unless authors delete the entries. The Cache
objects do not disappear just because the service worker script is updated. That is, caches are not updated automatically. Updates must be manually managed. This implies that authors should version their caches by name and make sure to use the caches only from the version of the service worker that can safely operate on.
+ The Cache
instances are not part of the browser’s HTTP cache. The Cache
objects are exactly what authors have to manage themselves. The Cache
objects do not get updated unless authors explicitly request them to be. The Cache
objects do not expire unless authors delete the entries. The Cache
objects do not disappear just because the service worker script is updated. That is, caches are not updated automatically. Updates must be manually managed. This implies that authors should version their caches by name and make sure to use the caches only from the version of the service worker that can safely operate on.
6.3. self.caches
@@ -4276,16 +4277,16 @@ 7. Security Considerations
7.1. Secure Context
- Service workers must execute in secure contexts. Service worker clients must also be secure contexts to register a service worker registration, to get access to the service worker registrations and the service workers, to do messaging with the service workers, and to be manipulated by the service workers. This effectively means that service workers and their service worker clients should be hosted over HTTPS. A user agent may allow localhost
, 127.0.0.0/8
, and ::1/128
for development purpose. (Note that they may still be secure contexts.) The primary reason for this restriction is to protect users from the risks associated with insecure contexts.
+ Service workers must execute in secure contexts. Service worker clients must also be secure contexts to register a service worker registration, to get access to the service worker registrations and the service workers, to do messaging with the service workers, and to be manipulated by the service workers. This effectively means that service workers and their service worker clients should be hosted over HTTPS. A user agent may allow localhost
, 127.0.0.0/8
, and ::1/128
for development purpose. (Note that they may still be secure contexts.) The primary reason for this restriction is to protect users from the risks associated with insecure contexts.
7.2. Content Security Policy
- Whenever a user agent invokes Run Service Worker algorithm with a service worker serviceWorker:
+ Whenever a user agent invokes Run Service Worker algorithm with a service worker serviceWorker:
-
-
If serviceWorker’s script resource was delivered with a Content-Security-Policy
HTTP header containing the value policy, the user agent must enforce policy for serviceWorker.
+ If serviceWorker’s script resource was delivered with a Content-Security-Policy
HTTP header containing the value policy, the user agent must enforce policy for serviceWorker.
-
-
If serviceWorker’s script resource was delivered with a Content-Security-Policy-Report-Only
HTTP header containing the value policy, the user agent must monitor policy for serviceWorker.
+ If serviceWorker’s script resource was delivered with a Content-Security-Policy-Report-Only
HTTP header containing the value policy, the user agent must monitor policy for serviceWorker.
The primary reason for this restriction is to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS).
@@ -4294,7 +4295,7 @@
7.3.1. Origin restriction
This section is non-normative.
- A service worker executes in the registering service worker client's origin. One of the advanced concerns that major applications would encounter is whether they can be hosted from a CDN. By definition, these are servers in other places, often on other origins. Therefore, service workers cannot be hosted on CDNs. But they can include resources via importScripts(). The reason for this restriction is that service workers create the opportunity for a bad actor to turn a bad day into a bad eternity.
+ A service worker executes in the registering service worker client's origin. One of the advanced concerns that major applications would encounter is whether they can be hosted from a CDN. By definition, these are servers in other places, often on other origins. Therefore, service workers cannot be hosted on CDNs. But they can include resources via importScripts(). The reason for this restriction is that service workers create the opportunity for a bad actor to turn a bad day into a bad eternity.
7.3.2. importScripts(urls)
@@ -4325,7 +4326,7 @@ unsafe response’s type is not "error
", and response’s status is an ok status, then:
-
-
Set script resource map[request’s url] to response
+ Set serviceWorker’s script resource's imported scripts map[request’s url] to response.
-
Return response.
@@ -4334,7 +4335,7 @@
- If script resource map[url] exists, return script resource map[url].
+ If serviceWorker’s script resource's imported scripts map[url] exists, return serviceWorker’s script resource's imported scripts map[url].
-
Else, return a network error.
@@ -4344,7 +4345,7 @@ 7.4. Cross-Origin Resources and CORS
This section is non-normative.
- Applications tend to cache items that come from a CDN or other origin. It is possible to request many of them directly using <script>
, <img>
, <video>
and <link>
elements. It would be hugely limiting if this sort of runtime collaboration broke when offline. Similarly, it is possible to fetch many sorts of off-origin resources when appropriate CORS headers are set. Service workers enable this by allowing Caches
to fetch and cache off-origin items. Some restrictions apply, however. First, unlike same-origin resources which are managed in the Cache
as Response
objects whose corresponding responses are basic filtered response, the objects stored are Response
objects whose corresponding responses are either CORS filtered responses or opaque filtered responses. They can be passed to event.respondWith(r)
method in the same manner as the Response
objects whose corresponding responses are basic filtered responses, but cannot be meaningfully created programmatically. These limitations are necessary to preserve the security invariants of the platform. Allowing Caches
to store them allows applications to avoid re-architecting in most cases.
+ Applications tend to cache items that come from a CDN or other origin. It is possible to request many of them directly using <script>
, <img>
, <video>
and <link>
elements. It would be hugely limiting if this sort of runtime collaboration broke when offline. Similarly, it is possible to fetch many sorts of off-origin resources when appropriate CORS headers are set. Service workers enable this by allowing Caches
to fetch and cache off-origin items. Some restrictions apply, however. First, unlike same-origin resources which are managed in the Cache
as Response
objects whose corresponding responses are basic filtered response, the objects stored are Response
objects whose corresponding responses are either CORS filtered responses or opaque filtered responses. They can be passed to event.respondWith(r)
method in the same manner as the Response
objects whose corresponding responses are basic filtered responses, but cannot be meaningfully created programmatically. These limitations are necessary to preserve the security invariants of the platform. Allowing Caches
to store them allows applications to avoid re-architecting in most cases.
7.5. Implementer Concerns
@@ -4352,19 +4353,19 @@ The implementers are encouraged to note:
-
-
Plug-ins should not load via service workers. As plug-ins may get their security origins from their own urls, the embedding service worker cannot handle it. For this reason, the Handle Fetch algorithm makes the potential-navigation-or-subresource request (whose context is either <embed>
or <object>
) immediately fallback to the network without dispatching fetch
event.
+ Plug-ins should not load via service workers. As plug-ins may get their security origins from their own urls, the embedding service worker cannot handle it. For this reason, the Handle Fetch algorithm makes the potential-navigation-or-subresource request (whose context is either <embed>
or <object>
) immediately fallback to the network without dispatching fetch
event.
-
-
Some of the legacy networking stack code may need to be carefully audited to understand the ramifications of interactions with service workers.
+ Some of the legacy networking stack code may need to be carefully audited to understand the ramifications of interactions with service workers.
7.6. Privacy
- Service workers introduce new persistent storage features including scope to registration map (for service worker registrations and their service workers), request to response map and name to cache map (for caches), and script resource map (for script resources). In order to protect users from any potential unsanctioned tracking threat, these persistent storages should be cleared when users intend to clear them and should maintain and interoperate with existing user controls e.g. purging all existing persistent storages.
+ Service workers introduce new persistent storage features including scope to registration map (for service worker registrations and their service workers), request to response map and name to cache map (for caches), and imported scripts map (for script resources). In order to protect users from any potential unsanctioned tracking threat, these persistent storages should be cleared when users intend to clear them and should maintain and interoperate with existing user controls e.g. purging all existing persistent storages.
8. Extensibility
- Service workers are extensible from other specifications.
+ Service workers are extensible from other specifications.
8.1. Define API bound to Service Worker Registration
Specifications may define an API tied to a service worker registration by using partial interface definition to the ServiceWorkerRegistration
interface where it may define the specification specific attributes and methods:
@@ -4395,7 +4396,7 @@ 8.4. Request Functional Event Dispatch
- To request a functional event dispatch to a service worker, specifications may invoke Handle Functional Event algorithm with its service worker registration registration and the algorithm callbackSteps as the arguments.
+ To request a functional event dispatch to a service worker, specifications may invoke Handle Functional Event algorithm with its service worker registration registration and the algorithm callbackSteps as the arguments.
Specifications may define an algorithm callbackSteps where the corresponding functional event can be created and fired with specification specific objects. The algorithm is passed globalObject (a ServiceWorkerGlobalScope
object) at which it may fire its functional events. This algorithm is called on a task queued by Handle Functional Event algorithm.
Note: See an example hook defined in Notifications API.
@@ -4855,7 +4856,7 @@
Else, continue the rest of these steps after the algorithm’s asynchronous completion, with script being the asynchronous completion value.
-
-
If newestWorker is not null, newestWorker’s script url equals job’s script url with the exclude fragments flag set, and script’s source text is a byte-for-byte match with newestWorker’s script resource's source text, if script is a classic script, and script’s module record's [[ECMAScriptCode]] is a byte-for-byte match with newestWorker’s script resource's module record's [[ECMAScriptCode]] otherwise, then:
+ If newestWorker is not null, newestWorker’s script url equals job’s script url with the exclude fragments flag set, and the result of invoking Check If Service Worker Resources Are Identical with newestWorker’s script resource, script, registration, and job is true, then:
-
Invoke Resolve Job Promise with job and the ServiceWorkerRegistration
object which represents registration.
@@ -4866,15 +4867,15 @@ Else:
-
-
Let worker be a new service worker.
+ Let worker be a new service worker.
-
Generate a unique opaque string and set worker’s id to the value.
-
-
Set worker’s script url to job’s script url, worker’s script resource to script, and worker’s type to job’s worker type.
+ Set worker’s script url to job’s script url, worker’s script resource to script, and worker’s type to job’s worker type.
-
-
Set worker’s script resource’s HTTPS state to httpsState.
+ Set worker’s script resource’s HTTPS state to httpsState.
-
-
Set worker’s script resource’s referrer policy to referrerPolicy.
+ Set worker’s script resource’s referrer policy to referrerPolicy.
-
Invoke Run Service Worker algorithm given worker, and with the force bypass cache for importscripts flag set if job’s force bypass cache flag is set.
-
@@ -4931,7 +4932,7 @@
job, a job
-
-
worker, a service worker
+ worker, a service worker
-
registration, a service worker registration
-
@@ -4955,7 +4956,7 @@
Invoke Resolve Job Promise with job and the ServiceWorkerRegistration
object which represents registration.
-
-
Queue a task to fire an event named updatefound
at all the ServiceWorkerRegistration
objects for all the service worker clients whose creation URL matches registration’s scope url and all the service workers whose containing service worker registration is registration.
+ Queue a task to fire an event named updatefound
at all the ServiceWorkerRegistration
objects for all the service worker clients whose creation URL matches registration’s scope url and all the service workers whose containing service worker registration is registration.
-
Let installingWorker be registration’s installing worker.
-
@@ -5114,7 +5115,7 @@
Input
-
-
serviceWorker, a service worker
+ serviceWorker, a service worker
-
force bypass cache for importscripts flag, an optional flag unset by default
-
@@ -5124,7 +5125,7 @@
- Let script be serviceWorker’s script resource.
+ Let script be serviceWorker’s script resource.
-
Assert: script is not null.
-
@@ -5186,9 +5187,9 @@
Set workerGlobalScope’s url to serviceWorker’s script url.
-
-
Set workerGlobalScope’s HTTPS state to serviceWorker’s script resource’s HTTPS state.
+ Set workerGlobalScope’s HTTPS state to serviceWorker’s script resource’s HTTPS state.
-
-
Set workerGlobalScope’s referrer policy to serviceWorker’s script resource’s referrer policy.
+ Set workerGlobalScope’s referrer policy to serviceWorker’s script resource’s referrer policy.
-
-
@@ -5221,7 +5222,7 @@
Input
-
-
serviceWorker, a service worker
+ serviceWorker, a service worker
-
Output
-
@@ -5271,11 +5272,11 @@
Unset event’s extensions allowed flag.
- The user agent should not terminate the service worker associated with event’s relevant settings object’s global object until event’s extensions allowed flag is unset. However, the user agent may impose a time limit to this lifetime extension.
+ The user agent should not terminate the service worker associated with event’s relevant settings object’s global object until event’s extensions allowed flag is unset. However, the user agent may impose a time limit to this lifetime extension.
Handle Fetch
- The Handle Fetch algorithm is the entry point for the fetch handling handed to the service worker context.
+ The Handle Fetch algorithm is the entry point for the fetch handling handed to the service worker context.
-
Input
@@ -5440,7 +5441,7 @@
Handle Foreign Fetch
- The Handle Foreign Fetch algorithm is the entry point for the fetch handling handed to the service worker context to handle foreign fetch requests.
+ The Handle Foreign Fetch algorithm is the entry point for the fetch handling handed to the service worker context to handle foreign fetch requests.
-
Input
@@ -5843,7 +5844,7 @@
target, a string (one of "installing
", "waiting
", and "active
")
-
-
source, a service worker or null
+ source, a service worker or null
-
Output
-
@@ -5897,9 +5898,9 @@
Input
-
-
worker, a service worker
+ worker, a service worker
-
-
state, a service worker's state
+ state, a service worker's state
-
Output
-
@@ -5923,27 +5924,27 @@
installing
-
-
Note: The service worker in this state is considered an installing worker. During this state, waitUntil()
can be called inside the oninstall
event handler to extend the life of the installing worker until the passed promise resolves successfully. This is primarily used to ensure that the service worker is not active until all of the core caches are populated.
+ Note: The service worker in this state is considered an installing worker. During this state, waitUntil()
can be called inside the oninstall
event handler to extend the life of the installing worker until the passed promise resolves successfully. This is primarily used to ensure that the service worker is not active until all of the core caches are populated.
-
installed
-
-
Note: The service worker in this state is considered a waiting worker.
+ Note: The service worker in this state is considered a waiting worker.
-
activating
-
-
Note: The service worker in this state is considered an active worker. During this state, waitUntil()
can be called inside the onactivate
event handler to extend the life of the active worker until the passed promise resolves successfully. No functional events are dispatched until the state becomes activated.
+ Note: The service worker in this state is considered an active worker. During this state, waitUntil()
can be called inside the onactivate
event handler to extend the life of the active worker until the passed promise resolves successfully. No functional events are dispatched until the state becomes activated.
-
activated
-
-
Note: The service worker in this state is considered an active worker ready to handle functional events.
+ Note: The service worker in this state is considered an active worker ready to handle functional events.
-
redundant
-
-
Note: A new service worker is replacing the current service worker, or the current service worker is being discarded due to an install failure.
+ Note: A new service worker is replacing the current service worker, or the current service worker is being discarded due to an install failure.
-
Fire an event named statechange
at workerObject.
@@ -6018,7 +6019,7 @@
Output
-
-
worker, a service worker
+ worker, a service worker
-
@@ -6086,7 +6087,7 @@
Output
-
-
newestWorker, a service worker
+ newestWorker, a service worker
-
@@ -6103,6 +6104,71 @@
+ Check If Service Worker Resources Are Identical
+
+ -
+
Input
+ -
+
sourceScript, a script
+ -
+
targetScript, a script
+ -
+
registration, a service worker registration
+ -
+
job, a job
+ -
+
Output
+ -
+
True or false, a boolean
+
+
+ -
+
If sourceScript and targetScript are not both classic scripts or not both module scripts, return false.
+ -
+
If sourceScript is a classic script, then:
+
+ -
+
If sourceScript’s source text is not a byte-for-byte match with targetScript’s source text, return false.
+ -
+
Let sourceMap be sourceScript’s imported scripts map.
+ -
+
For each url → response of sourceMap:
+
+ -
+
Let request be a new request whose url is url, client is job’s client, type is "script
", destination is "script
", parser metadata is "not parser-inserted
", synchronous flag is set, and whose use-URL-credentials flag is set.
+ -
+
Set request’s cache mode to "no-cache
" if any of the following are true:
+
+ -
+
registration’s use cache is false.
+ -
+
job’s force bypass cache flag is set.
+ -
+
registration’s last update check time is not null and the time difference in seconds calculated by the current time minus registration’s last update check time is greater than 86400.
+
+ -
+
Let targetResponse be the result of fetching request.
+ -
+
If targetResponse’s cache state is not "local
", set registration’s last update check time to the current time.
+ -
+
Let targetResponse be targetResponse’s unsafe response.
+ -
+
If targetResponse’s type is "error
", or targetResponse’s status is not an ok status, return false.
+ -
+
If the result of UTF-8 decoding response’s body is not a byte-for-byte match with the result of UTF-8 decoding targetResponse’s body, return false.
+
+
+ -
+
If sourceScript is a module script, then:
+
+ -
+
If sourceScript’s module record's [[ECMAScriptCode]] is not a byte-for-byte match with targetScript’s module record's [[ECMAScriptCode]], return false.
+
+ -
+
Return true.
+
+
Create Client
@@ -6381,18 +6447,18 @@ Appendix B: Extended HTTP headers
Service Worker Script Request
- An HTTP request to fetch a service worker's script resource will include the following header:
+ An HTTP request to fetch a service worker's script resource will include the following header:
-
-
-
Indicates this request is a service worker's script resource request.
+ Indicates this request is a service worker's script resource request.
Note: This header helps administrators log the requests and detect threats.
Service Worker Script Response
- An HTTP response to a service worker's script resource request can include the following header:
+ An HTTP response to a service worker's script resource request can include the following header:
-
@@ -6439,7 +6505,7 @@
Syntax
- ABNF for the values of the headers used by the service worker's script resource requests and responses:
+ ABNF for the values of the headers used by the service worker's script resource requests and responses:
Service-Worker = %x73.63.72.69.70.74 ; "script", case-sensitive
Note: The validation of the Service-Worker-Allowed header’s values is done by URL parsing algorithm (in Update algorithm) instead of using ABNF.
@@ -6513,6 +6579,7 @@ CacheQueryOptions, in §6.4
- caches, in §6.3.1
- CacheStorage, in §6.5
+
- Check If Service Worker Resources Are Identical, in §Unnumbered section
- claim(), in §4.3.4
- Clear Registration, in §Unnumbered section
- client, in §Unnumbered section
@@ -6607,6 +6674,7 @@
ignoreMethod, in §6.4
- ignoreSearch, in §6.4
- ignoreVary, in §6.4
+
- imported scripts map, in §2.1
- imported scripts updated flag, in §2.1
- importScripts(urls), in §7.3.2
- includeReserved, in §4.3
@@ -6815,7 +6883,6 @@
dfn for job, in §Unnumbered section
- script resource, in §2.1
-
- script resource map, in §2.1
-
script url
+
-
+ [WHATWG-ENCODING] defines the following terms:
+
+ - utf-8 decode
+
-
[FETCH] defines the following terms:
@@ -7035,6 +7107,7 @@ opaque-redirect filtered response
- origin
- parse a header value
+
- parser metadata
- potential-navigation-or-subresource request
- process response
- process response done
@@ -7052,11 +7125,14 @@
status
- stream
- subresource request
+
- synchronous flag
- target client id
- terminated
- termination reason
-
- type
+
- type (for request)
+
- type (for response)
- url
+
- use-url-credentials flag
-
[HTML] defines the following terms:
@@ -7301,6 +7377,8 @@
N
- Cameron McCormack; Boris Zbarsky; Tobie Langel. Web IDL. URL: https://heycam.github.io/webidl/
- [WHATWG-DOM]
- Anne van Kesteren. DOM Standard. Living Standard. URL: https://dom.spec.whatwg.org/
+
- [WHATWG-ENCODING]
+
- Anne van Kesteren. Encoding Standard. Living Standard. URL: https://encoding.spec.whatwg.org/
- [WHATWG-URL]
- Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
@@ -7564,50 +7642,50 @@
#dfn-service-workerReferenced in:
- 1. Motivations (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14)
-
- 2.1. Service Worker (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14) (15)
-
- 2.1.1. Lifetime (2)
-
- 2.2. Service Worker Registration (2) (3) (4)
-
- 2.5. Task Sources (2) (3)
-
- 2.6. User Agent Shutdown
-
- 3.1. ServiceWorker (2) (3) (4)
-
- 3.1.1. scriptURL
-
- 3.1.3. postMessage(message, transfer)
-
- 3.2.1. installing
-
- 3.2.2. waiting
-
- 3.2.3. active
-
- 3.4. ServiceWorkerContainer
-
- 3.4.1. controller
-
- 3.5. Events (2)
-
- 4.1. ServiceWorkerGlobalScope (2) (3) (4)
-
- 4.1.3. skipWaiting() (2)
-
- 4.4. ExtendableEvent (2) (3) (4) (5) (6) (7)
-
- 4.5.1. event.registerForeignFetch(options) (2)
-
- 4.6. FetchEvent (2)
-
- 4.7. ForeignFetchEvent (2)
-
- 4.8. ExtendableMessageEvent (2)
-
- 6.2. Understanding Cache Lifetimes (2)
-
- 7.1. Secure Context (2) (3) (4) (5)
-
- 7.2. Content Security Policy
-
- 7.3.1. Origin restriction (2) (3)
-
- 7.4. Cross-Origin Resources and CORS
-
- 7.5. Implementer Concerns (2) (3)
-
- 7.6. Privacy (2)
-
- 8. Extensibility
-
- 8.4. Request Functional Event Dispatch
-
- Update
-
- Install (2)
-
- Run Service Worker
-
- Terminate Service Worker
-
- Extend Service Worker Lifetime
-
- Handle Fetch
-
- Handle Foreign Fetch
-
- Update Registration State
-
- Update Worker State (2) (3) (4) (5) (6) (7) (8) (9) (10)
-
- Match Service Worker for Foreign Fetch
-
- Get Newest Worker
-
- Service Worker Script Request (2)
-
- Service Worker Script Response
-
- Syntax
+
- 2.1. Service Worker (2) (3) (4) (5) (6) (7) (8) (9) (10) (11) (12) (13) (14)
+
- 2.1.1. Lifetime (2)
+
- 2.2. Service Worker Registration (2) (3) (4)
+
- 2.5. Task Sources (2) (3)
+
- 2.6. User Agent Shutdown
+
- 3.1. ServiceWorker (2) (3) (4)
+
- 3.1.1. scriptURL
+
- 3.1.3. postMessage(message, transfer)
+
- 3.2.1. installing
+
- 3.2.2. waiting
+
- 3.2.3. active
+
- 3.4. ServiceWorkerContainer
+
- 3.4.1. controller
+
- 3.5. Events (2)
+
- 4.1. ServiceWorkerGlobalScope (2) (3) (4)
+
- 4.1.3. skipWaiting() (2)
+
- 4.4. ExtendableEvent (2) (3) (4) (5) (6) (7)
+
- 4.5.1. event.registerForeignFetch(options) (2)
+
- 4.6. FetchEvent (2)
+
- 4.7. ForeignFetchEvent (2)
+
- 4.8. ExtendableMessageEvent (2)
+
- 6.2. Understanding Cache Lifetimes (2)
+
- 7.1. Secure Context (2) (3) (4) (5)
+
- 7.2. Content Security Policy
+
- 7.3.1. Origin restriction (2) (3)
+
- 7.4. Cross-Origin Resources and CORS
+
- 7.5. Implementer Concerns (2) (3)
+
- 7.6. Privacy (2)
+
- 8. Extensibility
+
- 8.4. Request Functional Event Dispatch
+
- Update
+
- Install (2)
+
- Run Service Worker
+
- Terminate Service Worker
+
- Extend Service Worker Lifetime
+
- Handle Fetch
+
- Handle Foreign Fetch
+
- Update Registration State
+
- Update Worker State (2) (3) (4) (5) (6) (7) (8) (9) (10)
+
- Match Service Worker for Foreign Fetch
+
- Get Newest Worker
+
- Service Worker Script Request (2)
+
- Service Worker Script Response
+
- Syntax
+