notifications icon indicating copy to clipboard operation
notifications copied to clipboard

Published 20 hours ago verified publisher icon whatwg

Clarify whether images and icons must be served over HTTPS

Open collimarco opened this issue 6 years ago • 4 comments

ServiceWorkerRegistration.showNotification() has an icon and image options. It is not clear from the standard whether those resources must be served over https or if http is acceptable as well.

Moreover Firefox and Chrome have different behaviors: Firefox shows the icons over http, while Chrome doesn't display icons and images served over http (see related Chromium issue).

Please clarify if HTTPS is required or not.

collimarco avatar Feb 11 '19 15:02 collimarco

Per https://w3c.github.io/webappsec-mixed-content/#should-block-fetch it should work, but it might not be a bad idea to disallow it given it's a somewhat problematic practice and a new context for loading such problematic resources.

cc @mikewest

annevk avatar Feb 11 '19 15:02 annevk

It looks like our implementation issues a warning from Document-contexts, but blocks the request from Worker-contexts. I don't think we currently have metrics in place for measuring how often this is used, but in principle I agree that disallowing it might be a good idea.

beverloo avatar Feb 11 '19 15:02 beverloo

This was maybe meant to fall out of https://w3c.github.io/webappsec-mixed-content/#strict-mixed-content-checking-flag, but there's a lot of bugs around that.

annevk avatar Feb 11 '19 15:02 annevk

I agree with @annevk and @beverloo: let's restrict the icon and image options to secure resources. That is both the simplest solution, and the most forward-compatible with a secure web (and, if Chrome is accidentally already shipping it, probably quite compatible with today's web as well).

mikewest avatar Feb 12 '19 10:02 mikewest