Service Worker Q&A

[00:00:00]
>> What stops misbehaving, malicious or poorly implemented service worker from draining your battery and taking your bandwidth?
>> That was one of the biggest reactions against Service Worker when they appear for the first time. In fact, Apple was actually one of the main enemies of Service Worker. So WebKit didn't want to implement Service Worker because of that.

[00:00:27]
There are still online, The discussions on Twitter between the Chrome engineers and the Safari engineers. They're interesting to analyze those threats anyway. But anyway, they were fighting because of this. So, at the end, Safari implemented service workers. They did their own implementation to make it more secure according to the WebKit rules.

[00:00:55]
But actually, the first thing that happens is that the browser is always in charge of killing the Service Worker process. So if you're taking too much time, too much thread for a long time, it will kill you. It depends on the browser's implementation at that point. So if the browser thinks that you are overusing this, it will kill you, that's the first part.

[00:01:21]
So if you have a while true, and in the while true you are making math operations, so you are consuming CPU doing nothing for an infinite loop, at one point the browser will kill you. It will kill your thread. The other part is how to wake up the Service Worker.

[00:01:40]
You can't wake up the Service Worker whenever you want, only with the pre-arranged use cases. And one of the use cases is web push. So your server can send a message to the Service Worker and that will wake up the Service Worker. So at this point, the next question will be what is stopping me to sending a push message every 30 seconds and waking up my Service Worker every 30 seconds?

[00:02:10]
Well, the browsers already, Thought about that and the answer was that, that silent notifications are forbidden. That means that every time you wake up a Service Worker because of a web push, you're forced to notify the user something in the OS. If you don't do that, you have a time sum, three seconds after you're waking up.

[00:02:39]
So you woke up, you have three to five seconds, it depends on the implementation, to show a notification to a user. If you don't do that, and you say, I'm not going to notify the user, a generic notification will appear. So the browser will generate the notification that says something like, this website has been updated and because we don't want that as developers, because we wanna customize the message.

[00:03:10]
So that's like how the browsers are trying to keep service workers within a secure and good citizen way of life within the browser. And so far, so we've been working with Service Worker for five years, we didn't find big problems actually, so it's actually working so far.
>> Is it the case that there's no OS level interaction required if the webpage is actually in the foreground?

[00:03:45]
So, that's like, it requires an OS level notification or interaction if it's trying to wake up a backgrounded service worker. But that would be irritating if you're just using Twitter-
>> The idea is that it will be irritating for the user to receive a notification every 30 seconds.

[00:04:02]
So, the user will actually go and say, revoke permission. And if it's revoking permission for notification, then you won't be able to send any more push messages so you won't be able to wake up the service worker anymore, that's how it works.