background-fetch icon indicating copy to clipboard operation
background-fetch copied to clipboard

Published 20 hours ago verified publisher icon WICG

Restrict requests to http(s): scheme

Open johnmellor opened this issue 7 years ago • 1 comments

Currently Background Fetch supports any URI scheme supported by Fetch, with the added restriction that Background Fetch is only exposed in Secure Contexts since it hangs off ServiceWorkerRegistration, and so Mixed Content §should-block-fetch requires request urls to be a priori authenticated. This is defined to be either a data: URI or anything considered "Potentially Trustworthy" by Secure Contexts §is-url-trustworthy.

So in practice requests are currently limited to: https:, [loopback] http:, data:, wss:, file:, chrome-extension: (or similar), about:blank, or about:srcdoc.

I'd like to propose restricting to only https: and [loopback] http:, since:

  • wss: doesn't seem to allow fetching resources.
  • data:, file:, chrome-extension:, and about: are local requests that can be satisfied almost immediately, so the ordinary Fetch API should be preferred for these.

(one case that's debatable is file: URLs to network shares, for which a background fetch might make more sense; however since that's a rather niche usecase I'd rather start without it, and we can always add support later)

johnmellor avatar Aug 01 '17 16:08 johnmellor

Agreed. Makes sense.

jakearchibald avatar Aug 02 '17 13:08 jakearchibald