Skip to content
This repository has been archived by the owner on Oct 22, 2019. It is now read-only.

SW error when accessing via SXG #1990

Open
shigeki opened this issue Apr 5, 2019 · 3 comments
Open

SW error when accessing via SXG #1990

shigeki opened this issue Apr 5, 2019 · 3 comments

Comments

@shigeki
Copy link

shigeki commented Apr 5, 2019

Describe the bug
ampbyexample has a ServiceWorker error when accessing via SXG.
Please refer console.log in the attached screenshot below.
ampbyexample_sw_error
@sebastianbenz
Copy link
Collaborator

This is interesting. Thanks for reporting!

//cc @ithinkihaveacat

@ithinkihaveacat
Copy link
Contributor

Unfortunately it's not possible to install a SW via a SXG response right now. (Or at least SXG as delivered by Google Search.)

The problem is the amppackage sets a CSP header on the "inner" response that prevents JS from anywhere other than cdn.ampproject.org from running. (Also, cdn.ampproject.org itself sets the same header on the "outer" response … I suspect it's the inner CSP that's preventing the SW from being installed in this case, but either way it's blocked.)

Outer CSP:

$ curl -sI -H 'accept: application/signed-exchange;v=b3' 'https://www-chefkoch-de.cdn.ampproject.org/wp/s/www.chefkoch.de/amp/rs/s0/lasagne/Rezepte.html' | grep content-security
content-security-policy: default-src * blob: data:; script-src blob: https://cdn.ampproject.org/esm/ https://cdn.ampproject.org/mp/ https://cdn.ampproject.org/rtv/ https://cdn.ampproject.org/sp/ https://cdn.ampproject.org/sw/ https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/; object-src 'none'; style-src 'unsafe-inline' https://cdn.ampproject.org/rtv/ https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://pro.fontawesome.com https://use.fontawesome.com https://use.typekit.net; report-uri https://csp-collector.appspot.com/csp/amp

Inner CSP:

$ curl -s -H 'accept: application/signed-exchange;v=b3' 'https://www-chefkoch-de.cdn.ampproject.org/wp/s/www.chefkoch.de/amp/rs/s0/lasagne/Rezepte.html' | dump-signedexchange -verify | grep -i content-security
    Content-Security-Policy: default-src * blob: data:;report-uri https://csp-collector.appspot.com/csp/amp;script-src blob: https://cdn.ampproject.org/rtv/ https://cdn.ampproject.org/v0.js https://cdn.ampproject.org/v0/ https://cdn.ampproject.org/viewer/;style-src 'unsafe-inline' https://cdn.materialdesignicons.com https://cloud.typography.com https://fast.fonts.net https://fonts.googleapis.com https://maxcdn.bootstrapcdn.com https://p.typekit.net https://pro.fontawesome.com https://use.fontawesome.com https://use.typekit.net;object-src 'none'

For reference, the behavior is specified at https://wicg.github.io/webpackage/loading.html, though I don't know whether Chrome or any other browser actually implements this yet.

(@twifkak FYI.)

@ithinkihaveacat
Copy link
Contributor

Chrome doesn't implement this yet; see https://bugs.chromium.org/p/chromium/issues/detail?id=939237 ("ServiceWorker registration fails on inner SXG").

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ithinkihaveacat @sebastianbenz @shigeki