为什么服务人员只能通过HTTPS工作? [英] Why do service workers only work over HTTPS?
问题描述
根据原始提案,关于首选安全来源以提供强大的新功能"
特别强大"的含义如下:处理个人身份信息的功能,处理凭证或付款工具之类的高价值信息的功能,为UA提供可控制/可信赖的本机UI的源的功能,用户设备上的传感器或通常我们将提供用户可设置的权限的任何功能.请讨论!
"Particularly powerful" would mean things like: features that handle personally-identifiable information, features that handle high-value information like credentials or payment instruments, features that provide the origin with control over the UA's trustworthy/native UI, access to sensors on the user's device, or generally any feature that we would provide a user-settable permission or privilege to. Please discuss!
特别强大"并不意味着诸如:新的呈现和布局功能,CSS选择器,无害的JavaScript API(例如showModalDialog)之类的东西.我希望HTML5中的大多数新作品都属于此类.请讨论!
"Particularly powerful" would not mean things like: new rendering and layout features, CSS selectors, innocuous JavaScript APIs like showModalDialog, or the like. I expect that the majority of new work in HTML5 fits in this category. Please discuss!
但是由于某些原因,服务人员却被归为第一类.发生这种情况有什么规范的原因吗?
Yet for some reason service workers have been thrown into the first category. Is there any canonical reason for why this happened?
推荐答案
来自Google的杰克·阿奇博尔德(Jake Archibald),来自《官方服务工作者》草案规范引用指出
Jake Archibald from Google in official Service Workers draft spec sandbox, later cited by Matt Gaunt from HTML5rocks states that
使用服务人员,您可以劫持连接,构造和过滤响应.功能强大的东西.尽管您会充分利用这些能力,但中间人可能不会.为避免这种情况,您只能在通过HTTPS服务的页面上注册服务工作者,因此我们知道浏览器在通过网络的过程中并未受到篡改.
Using service worker you can hijack connections, fabricate, and filter responses. Powerful stuff. While you would use these powers for good, a man-in-the-middle might not. To avoid this, you can only register for service workers on pages served over HTTPS, so we know the service worker the browser receives hasn't been tampered with during its journey through the network.
这篇关于为什么服务人员只能通过HTTPS工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
