Require `[SecureContext]` for interfaces with `[Exposed=ServiceWorker]` or not?

[saschanaz]

The current spec only adds [Exposed] to all service-worker-specific interfaces except ServiceWorkerGlobalScope. Other specs also generally prefers not to give SecureContext, per webref:

• Specs with SecureContext: push-api
• Specs without SecureContext: content-index, background-sync, background-fetch, payment-handle, cookie-store, periodic-background-sync

Gecko and Blink do not add [SecureContext] for those interfaces but WebKit does. (For Gecko, devtools allows non-secure context to temporarily run service worker so SecureContext doesn't make a lot of sense)

Given there's no spec other than push-api that adds SecureContext I filed w3c/push-api#397, but then found there's no explicit agreement nor guideline, and so the issue here.

[yoshisatoyanagisawa]

As you know, ServiceWorkers can be executed only in the secure context, and the clients must be in the secure context to access it. https://w3c.github.io/ServiceWorker/#secure-context
Therefore, even if there is no explicit SecureContext, I assume it actually be executed inside.

Is there any corner case scenarios having SecureContext or not matter?
...stepping back, in w3c/push-api#397, you say Firefox has a way to run ServiceWorker without secure context. Is that a case?

[saschanaz]

Therefore, even if there is no explicit SecureContext, I assume it actually be executed inside.

Agreed.

...stepping back, in w3c/push-api#397, you say Firefox has a way to run ServiceWorker without secure context. Is that a case?

Yes, for local testing purpose if and only if devtools is opened and the user opted in.

We make sure that all service worker interfaces would be exposed in such cases so that the testing environment would be as equivalent as possible to real world environment.