"SecurityError: The operation is insecure" on Firefox

[szepeviktor]

Please check the returned Promise. It could be rejected with a certain cookie setting
See https://bugzilla.mozilla.org/show_bug.cgi?id=1429714#c1

[westonruter]

So we're missing a catch() call here?

pwa-wp/wp-includes/service-workers.php

Lines 161 to 186 in 261c15e

	navigator.serviceWorker.register(
	<?php echo wp_json_encode( wp_get_service_worker_url( $name ) ); ?>,
	<?php echo wp_json_encode( compact( 'scope' ) ); ?>
	).then( reg => {
	<?php if ( WP_Service_Workers::SCOPE_ADMIN === $name ) : ?>
	document.cookie = <?php echo wp_json_encode( sprintf( 'wordpress_sw_installed=1; path=%s; expires=Fri, 31 Dec 9999 23:59:59 GMT; secure; samesite=strict', $scope ) ); ?>;
	<?php endif; ?>
	<?php if ( ! wp_service_worker_skip_waiting() ) : ?>
	reg.addEventListener( 'updatefound', () => {
	if ( ! reg.installing ) {
	return;
	}
	updatedSw = reg.installing;
	/* If new service worker is available, show notification. */
	updatedSw.addEventListener( 'statechange', () => {
	if ( 'installed' === updatedSw.state && navigator.serviceWorker.controller ) {
	const notification = document.getElementById( 'wp-admin-bar-pwa-sw-update-notice' );
	if ( notification ) {
	notification.style.display = 'block';
	}
	}
	} );
	} );
	<?php endif; ?>
	} );

[szepeviktor]

Seems like...

[westonruter]

Would you like to open a PR? Should it be putting the error in the console via console.error()?

[szepeviktor]

Thank you for your offer! I better not touch frontend code.

[westonruter]

I can't reproduce this issue. In private browsing, navigator.serviceWorker is not even defined. The same goes if I select to not remember history in non-private browsing.

[szepeviktor]

Try telling Firefox to delete cookies on exit - that is mentioned in the bug tracker.
about:preferences#privacy

[westonruter]

OK, I can see that now:

With this patch:

diff --git a/wp-includes/service-workers.php b/wp-includes/service-workers.php
index 2197787..17cb864 100644
--- a/wp-includes/service-workers.php
+++ b/wp-includes/service-workers.php
@@ -183,6 +183,9 @@ function wp_print_service_workers() {
 									} );
 								} );
 							<?php endif; ?>
+						} )
+						.catch( ( err ) => {
+							console.info( "Service worker will not be installed due to:", err );
 						} );
 
 						<?php if ( is_admin_bar_showing() && ! wp_service_worker_skip_waiting() ) : ?>

The result is:

Doesn't seem a whole lot better.

[szepeviktor]

I think we need .reject() too
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise/reject

[westonruter]

No, I don't think that is right. The reject is already being called today by the browser today. When a rejected promise is not caught via catch then it shows up on the console as an error. You can see from my code above that adding catch does prevent the error from showing in the console, but the Firefox DevTools still shows another error regardless. So I don't know how much benefit there is to catch it in the first place.

[szepeviktor]

Yes, we have the same problem as others in the Mozilla bug:

Neither try/catch nor then/catch seems to be able to supress the error warnings in the console.

https://bugzilla.mozilla.org/show_bug.cgi?id=1429714#c12