whatwg / notifications

Notifications API Standard
https://notifications.spec.whatwg.org/
Other
137 stars 49 forks source link

Clarify whether images and icons must be served over HTTPS #145

Open collimarco opened 5 years ago

collimarco commented 5 years ago

ServiceWorkerRegistration.showNotification() has an icon and image options. It is not clear from the standard whether those resources must be served over https or if http is acceptable as well.

Moreover Firefox and Chrome have different behaviors: Firefox shows the icons over http, while Chrome doesn't display icons and images served over http (see related Chromium issue).

Please clarify if HTTPS is required or not.

annevk commented 5 years ago

Per https://w3c.github.io/webappsec-mixed-content/#should-block-fetch it should work, but it might not be a bad idea to disallow it given it's a somewhat problematic practice and a new context for loading such problematic resources.

cc @mikewest

beverloo commented 5 years ago

It looks like our implementation issues a warning from Document-contexts, but blocks the request from Worker-contexts. I don't think we currently have metrics in place for measuring how often this is used, but in principle I agree that disallowing it might be a good idea.

annevk commented 5 years ago

This was maybe meant to fall out of https://w3c.github.io/webappsec-mixed-content/#strict-mixed-content-checking-flag, but there's a lot of bugs around that.

mikewest commented 5 years ago

I agree with @annevk and @beverloo: let's restrict the icon and image options to secure resources. That is both the simplest solution, and the most forward-compatible with a secure web (and, if Chrome is accidentally already shipping it, probably quite compatible with today's web as well).