amp-by-example icon indicating copy to clipboard operation
amp-by-example copied to clipboard

Published 20 hours ago verified publisher icon ampproject

SW error when accessing via SXG

Open shigeki opened this issue 5 years ago • 3 comments

Describe the bug ampbyexample has a ServiceWorker error when accessing via SXG. Please refer console.log in the attached screenshot below. ampbyexample_sw_error

shigeki avatar Apr 05 '19 03:04 shigeki

This is interesting. Thanks for reporting!

//cc @ithinkihaveacat

sebastianbenz avatar Apr 05 '19 09:04 sebastianbenz

Unfortunately it's not possible to install a SW via a SXG response right now. (Or at least SXG as delivered by Google Search.)

The problem is the amppackage sets a CSP header on the "inner" response that prevents JS from anywhere other than cdn.ampproject.org from running. (Also, cdn.ampproject.org itself sets the same header on the "outer" response … I suspect it's the inner CSP that's preventing the SW from being installed in this case, but either way it's blocked.)

Outer CSP:

$ curl -sI -H 'accept: application/signed-exchange;v=b3' 'https://www-chefkoch-de.cdn.ampproject.org/wp/s/www.chefkoch.de/amp/rs/s0/lasagne/Rezepte.html' | grep content-security
content-security-policy: default-src * blob: data:; script-src blob: https://cdn.ampproject.org/esm/ https://cdn.ampproject.org/mp/ https://cdn.ampproject.org/rtv/ https://cdn.ampproject.org/sp/ https://cdn.ampproject.org/sw/ https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/; object-src 'none'; style-src 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://pro.fontawesome.com https://use.fontawesome.com https://use.typekit.net; report-uri https://csp-collector.appspot.com/csp/amp

Inner CSP:

$ curl -s -H 'accept: application/signed-exchange;v=b3' 'https://www-chefkoch-de.cdn.ampproject.org/wp/s/www.chefkoch.de/amp/rs/s0/lasagne/Rezepte.html' | dump-signedexchange -verify | grep -i content-security
    Content-Security-Policy: default-src * blob: data:;report-uri https://csp-collector.appspot.com/csp/amp;script-src blob: https://cdn.ampproject.org/rtv/ https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/;style-src 'unsafe-inline' https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://pro.fontawesome.com https://use.fontawesome.com https://use.typekit.net;object-src 'none'

For reference, the behavior is specified at https://wicg.github.io/webpackage/loading.html, though I don't know whether Chrome or any other browser actually implements this yet.

(@twifkak FYI.)

ithinkihaveacat avatar Apr 09 '19 14:04 ithinkihaveacat

Chrome doesn't implement this yet; see https://bugs.chromium.org/p/chromium/issues/detail?id=939237 ("ServiceWorker registration fails on inner SXG").

ithinkihaveacat avatar Apr 09 '19 15:04 ithinkihaveacat