pcb
pcb copied to clipboard
kiibohd
offline-plugin on virtual host
Hi,
I'm currently developing a website that runs on a virtual host on my local machine without HTTPS.
Google Chrome treats my virtual host as unsecure and won't install a Service Worker. This is totally fine due to their documentation:
“Secure origins” are origins that match at least one of the following (scheme, host, port) patterns:
- (https, *, *)
- (wss, *, *)
- (*, localhost, *)
- (*, 127/8, *)
- (*, ::1/128, *)
- (file, *, —)
- (chrome-extension, *, —)
But there's the possibility to open Chrome via Terminal and by using --unsafely-treat-insecure-origin-as-secure=http://virtual-host.test, which makes Chrome treat the provided origin as secure.
Now, if I call navigator.serviceWorker.register('/sw.js');, Chrome installs the Service Worker on my local website with virtual host - while the offline-plugin won't. I did a little research and found the hasSW-method:
function hasSW() {
return 'serviceWorker' in navigator &&
// This is how I block Chrome 40 and detect Chrome 41, because first has
// bugs with history.pustState and/or hashchange
(window.fetch || 'imageRendering' in document.documentElement.style) &&
(window.location.protocol === 'https:' || window.location.hostname === 'localhost' || window.location.hostname.indexOf('127.') === 0)
}
I see that you added the patterns from the Chrome docs - that's nice! Do you see any chance to set an option like unsafelyTreatInsecureOriginAsSecure? To be able to trust virtual hosts without installing locally self-signed certificates?
Thank you so much!
Kind regards, Niels
As a quick fix I made a fork where I removed the line (window.location.protocol === 'https:' || window.location.hostname === 'localhost' || window.location.hostname.indexOf('127.') === 0).
One could argue, if this could also be a solution: leave it up to the browsers whether to execute a Service Worker or not. What do you think?
I have no insight to this issue, is there a PR regarding this anywhere, would someone submit one?
