We have a use case with an untrusted front-end server that hosts a service worker source script as a signed exchange:service_worker.sxg.
The main page of the website is also distributed as a signed exchange and registers the service worker as follows:
// This JS is running with the `trusted.back.end` origin.
navigator.serviceWorker.register('https://untrusted.front.end/service_worker.sxg');Currently this fails in Chrome 107 with an error:
Failed to register a ServiceWorker: The origin of the provided scriptURL ('https://untrusted.front.end') does not match the current origin
Question: What is the expected behaviour according to the SXG specification here?
Based on the explainer and the spirit of SXG, I was expecting the service worker registration to succeed because the service worker source script resource should be considered as having the same trusted origin.
We have a use case with an untrusted front-end server that hosts a service worker source script as a signed exchange:
service_worker.sxg.The main page of the website is also distributed as a signed exchange and registers the service worker as follows:
Currently this fails in Chrome 107 with an error:
Question: What is the expected behaviour according to the SXG specification here?
Based on the explainer and the spirit of SXG, I was expecting the service worker registration to succeed because the service worker source script resource should be considered as having the same trusted origin.