Does my web application require SSL for Firebase Cloud Messaging for Web to work? [closed]

独自空忆成欢 提交于 2020-02-25 04:16:31

问题


With Firebase Cloud Messaging for Web,
1. Does my web application domain still require SSL?
2. Or only the service worker.js needs to be on an SSL site? if so, can I host the service worker on an SSL site but keep my web application on a non-SSL site?

Any feedback is much appreciated.

Thank you,
Christina


回答1:


To use a service worker the following condition must be met:

The web site registering the service worker MUST be registering a service worker hosted on the same origin.

This means the site registering the service worker must on on HTTPS and the service worker, which has to be on the same origin, will be served over HTTPS as a result.

(There is a future API to get around this but has it's own complications - Foreign Fetch)

One common way around this is to host a website on SSL that is solely used for push and either redirect to this page OR embed as an iframe.

The caveat here is a poor user experience with the redirect and there is no guarantee that the iframe approach will work in the future.

Generally, given the number of new APIs that require HTTPS, I'd strongly recommend checking out Lets Encrypt for free TLS certificates OR trying out a service like CloudFlare which will give you HTTPS.




回答2:


  1. Does my web application domain stil require SSL?
    • Yes, If you are owner of service worker.js
    • No, If you use third party (look at Pushpad Express) https://pushpad.xyz/
  2. Or only the service worker.js needs to be on an SSL site? if so, can I host the service worker on an SSL site but keep my web application on a non-SSL site?
    • Yes, only service worker needs to be on SSL site. your web application on a non-SSL look at Pushpad Express



回答3:


The service worker registration is associated to the domain from which it is served.

can I host the service worker on an SSL site but keep my web application on a non-SSL site?

I haven't tested but I'm pretty sure that you cannot do that. Indeed a man in the middle would be able to compromise your non-SSL page and register a service worker from a malicious website, thus associating a malicious service worker to your domain.

Obviously you don't need to secure all your application: you can use SSL just for the pages that need the service worker.

BTW if you need web push notifications and you don't have an SSL take a look at Pushpad Express (I am the founder)



来源:https://stackoverflow.com/questions/40298292/does-my-web-application-require-ssl-for-firebase-cloud-messaging-for-web-to-work

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!