Service Worker Scope

[00:00:00]
>> Maximiliano Firtman: Now I will give you an exception to what I said 40 seconds ago. I said that it has no relationship with PWAs, but actually there is one exception, iPhones. Safari and iOS does not support web push notifications unless you install PWA. If you install a PWA, that PWA, the installed version can request web push notification permission.

[00:00:28]
But not Safari, the browser, because it's Apple, I don't know. Actually, it took a while to get there. It was one of the most requested features for Apple. Hey, we want push notifications for PWAs. Well, the answer was, okay, you got it, but not in Safari. So you have to push your websites into installing the PWA, so then you can use web push, okay?

[00:00:53]
Well, the service worker has a scope defined. What's a scope? The scope is an origin, something that we have already defined, and a path. So it can be your whole domain, or it can be a folder in your domain. That means that that middleware that we installed, that network proxy can be responsible for your whole domain, or only for a folder.

[00:01:19]
And then you can have other service workers managing other folders, okay? That's the idea. The idea is that when you define a service worker, when you register a service worker, then it will manage all the pages within the browser and within the install app from that scope. So if you have a PWA installed, when you open that PWA, the service worker will say, that's mine.

[00:01:44]
It's part of my scope, it's mine, I'll take it. That's kind of the idea. Any page in the scope will install a service worker, and after installed, it can serve all the files requested from the scope. And after installed, it can serve all the files requested from the scope.

[00:02:04]
Only one service worker is allowed per scope. If you try to install another one, you are removing the previous one. There is a whole process there. For more advanced situations, you can get there. And WebKit, it's adding another complexity to this, partition management. I'm not sure if you have heard about this partition management before on WebKit, because of security, privacy reasons.

[00:02:30]
Partitions are only when you have iframes. So if you don't have iframes, a partition is a domain. It's the same, okay, it's the same. But if you have iframes, each combination of domain plus domain of the iframe is called a partition. So what's the idea with that? There is a whole blog post if you wanna get with that, service workers partition WebKit.

[00:02:57]
Workers at Your Service, okay, yeah, that's the title for service worker. Well, here they explain how Safari implemented service workers. And they talk here about partitions, here somewhere. So it has to do with,
>> Maximiliano Firtman: Increase this a little bit, it has to do with iframe. So if you have webkit.org, example.com, an iframe of that, that is taken as a partition.

[00:03:30]
So then it will be one instance of the service worker will be applied there. And if you have another page without the iframe, it will be a different partition, a different service worker. It has to do with privacy, okay, but it doesn't matter for now.
>> Student: Are there any security threats related to service workers or does the scope thing help with that?

[00:03:50]
>> Maximiliano Firtman: That's a good question. Actually, when the service workers appeared, there was a big fight in the community. Twitter was on fire, actually. And on fire, not just because of developers, but because of browser developers. The service worker was an API pushed by the Chrome team. The Safari team was against it.

[00:04:14]
And there was really hard tweets. What we know in public, I don't know what happened in private, but actually Apple didn't want that. And the main reason was security, okay? Well, actually, because, of course, it sounds too powerful. Because you have a lot of thousands of service workers installed that you don't know, and they can wake up, they can execute, go in the background.

[00:04:39]
But actually, the spec already tried to, of course, solve all the security concerns. That's why they cannot be executed by themselves. The user needs to open a new document for that domain so that service worker can appear, or the push notification to be received, and things like that.

[00:05:00]
To be honest, in the probably seven, eight years of service workers, we haven't seen big security problems or things that have appeared. So it seems like they are pretty secure, and we couldn't find a way to break the service workers, actually. There is a discussion of background execution, battery usage.

[00:05:24]
We can discuss that part. But in terms of security, I don't think there is any security risk. But all right, there is always risk, but nothing has been found yet, and I think that. But I understand, I feel the pain, the feeling, okay? I have the feeling also that, hey, this is too powerful.

[00:05:44]
How is that we can install servers on users' computers without their knowledge, okay? Well, it's a server that responds only to your origin. So you shouldn't, you cannot read things that happens on other tabs, on other websites and so on.