I'm currently implementing Firebase to send Webpush notification on a not fully HTTPS webapp. As webpsuh is using service worker which need HTTPS, I did some research to better understand how to use them and on Google Developers website I've found:
You can only register service workers on pages served over HTTPS, so we know the service worker the browser receives hasn't been tampered with during its journey through the network.
Does this means it is possible to register a service worker from a HTTPS page even though the rest of the website is HTTP ?
I've came across the issue https://github.com/w3c/ServiceWorker/issues/199 and @jyasskin's comment :
If the page requesting the SW isn't secure, and the SW is https but on an attacker-controlled domain, you haven't gained anything at all. Yes, the whole app will need to be https.
But because this was said before the specs around HTTP/HTTPS were done, I've been wondering if, in the final way service workers are implemented, the whole app has to be https?
Thanks in advance for any clarification !
Yes, it has to be on HTTPS. Or more precise: secure contexts.
Does this means it is possible to register a service worker from a HTTPS page even though the rest of the website is HTTP?
You could send the user to an HTTPS page where there'd subscribe to push messages, then send them back to your HTTP site. You wouldn't be able to do this by including the HTTPS page inside the HTTP page as an iframe.
The service worker wouldn't control any of the HTTP pages, as it would consider them to be part of a different site, as the origin is different.
Thanks for the quick replies !
So from what I understand, it is possible to register a service worker on a HTTPS page even though some others pages of the website are HTTP as long as it's in a secure context. Since I want to use service worker for push notifications and not to control any of the HTTP page, it should worked.
it is possible to register a service worker on a HTTPS page even though some others pages of the website are HTTP
The browser considers these to be different websites.