为什么 Service Worker 只能通过 HTTPS 工作?
Why do service workers only work over HTTPS?
根据最初的提议,关于 "Prefer Secure Origins For Powerful New Features"
“Particularly powerful” would mean things like: features that handle personally-identifiable information, features that handle high-value information like credentials or payment instruments, features that provide the origin with control over the UA's trustworthy/native UI, access to sensors on the user's device, or generally any feature that we would provide a user-settable permission or privilege to. Please discuss!
“Particularly powerful” would not mean things like: new rendering and layout features, CSS selectors, innocuous JavaScript APIs like showModalDialog, or the like. I expect that the majority of new work in HTML5 fits in this category. Please discuss!
然而,出于某种原因,服务人员被归入第一类。发生这种情况有什么规范的原因吗?
对我来说,这适用于 ServiceWorker:
features that handle personally-identifiable information, features that handle high-value information like credentials or payment instruments
基本上作为页面和服务器之间的代理,ServiceWorker 可以轻松拦截、读取并可能存储每个请求和响应中包含的每个信息,包括个人身份信息和密码。
官方 Service Workers 规范草案 sandbox 中来自 Google 的 Jake Archibald,
后来 cited 来自 HTML5rocks 的 Matt Gaunt 指出
Using service worker you can hijack connections, fabricate, and filter responses. Powerful stuff. While you would use these powers for good, a man-in-the-middle might not. To avoid this, you can only register for service workers on pages served over HTTPS, so we know the service worker the browser receives hasn't been tampered with during its journey through the network.
根据最初的提议,关于 "Prefer Secure Origins For Powerful New Features"
“Particularly powerful” would mean things like: features that handle personally-identifiable information, features that handle high-value information like credentials or payment instruments, features that provide the origin with control over the UA's trustworthy/native UI, access to sensors on the user's device, or generally any feature that we would provide a user-settable permission or privilege to. Please discuss!
“Particularly powerful” would not mean things like: new rendering and layout features, CSS selectors, innocuous JavaScript APIs like showModalDialog, or the like. I expect that the majority of new work in HTML5 fits in this category. Please discuss!
然而,出于某种原因,服务人员被归入第一类。发生这种情况有什么规范的原因吗?
对我来说,这适用于 ServiceWorker:
features that handle personally-identifiable information, features that handle high-value information like credentials or payment instruments
基本上作为页面和服务器之间的代理,ServiceWorker 可以轻松拦截、读取并可能存储每个请求和响应中包含的每个信息,包括个人身份信息和密码。
官方 Service Workers 规范草案 sandbox 中来自 Google 的 Jake Archibald, 后来 cited 来自 HTML5rocks 的 Matt Gaunt 指出
Using service worker you can hijack connections, fabricate, and filter responses. Powerful stuff. While you would use these powers for good, a man-in-the-middle might not. To avoid this, you can only register for service workers on pages served over HTTPS, so we know the service worker the browser receives hasn't been tampered with during its journey through the network.