Origin policy interacting with older service workers

[domenic]

Consider a case where you want to upgrade both your origin policy and service worker at once. For example:

• v1:
  • Service worker does importScripts("https://third-party.example/lib.js")
  • Origin policy's CSP allows script-src from https://third-party.example
• v2
  • Service worker does importScripts("/vendored/lib.js")
  • Origin policy's CSP no longer allows script imports from https://third-party.example

Unfortunately, there doesn't seem to be any glue which can allow these to upgrade together. For example, a user could visit the site and get origin policy v2, but service worker v1, and thus the service worker is broken.

This will generally be nondeterministic. E.g. if using async update for the OP, then both the OP and the service worker will update in the background, but maybe only one of them manages to update before the user goes offline. If using sync update, then the OP will definitely update, but again, maybe the service worker won't update before the user goes offline.

@wanderview suggests one solution here is making the origin policy go through the service worker (which, per #85 (comment), means abandoning origin policy for subresources, and thus abandoning origin policy helping with CORS preflights). Then you would have to carefully craft your service worker to never serve the browser an up-to-date origin policy resource until its install event handler is done. I'm not a big fan of this because it's broken by default, requiring you to write special handling for the origin policy and its interaction with the service worker lifecycle. (And it removes one of the major use cases for origin policy, i.e. the CORS preflight removal.)

However, I don't have any really good ideas here.