mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-23 04:41:11 +00:00
a212459d62
This patch introduces an explicit concept of lifetimes with mechanisms in place so that actions taken by Clients (windows or non-ServiceWorker orkers) will extend the lifetime of a ServiceWorker, but a ServiceWorker cannot extend the life of another ServiceWorker. The areas of concern are: - ServiceWorker.postMessage: With ServiceWorkers exposed on workers and the ability to access other registrations via ServiceWorkerContainer being exposed, ServiceWorkers can message other ServiceWorkers. It's essential that they never be allowed to give a ServiceWorker a lifetime longer than their own. - ServiceWorkerRegistration.update(): Requesting an update of a registration should not allow any installed/updated ServiceWorker to have a lifetime longer than the ServiceWorker creating the request. - ServiceWorkerContainer.register(): Requesting the installation of a new ServiceWorker should likewise constrain the lifetime of the newly installed ServiceWorker. Note that in cases where we would potentially spawn a ServiceWorker, whether it be in response to postMessage or as part of an install or update, a key criteria is whether the lifetime extends far enough into the future for us to believe the ServiceWorker can accomplish anything. Currently we have a constant of 5 seconds against a normal full lifetime of 30 seconds (before 30 second grace period). So once a SW has < 5 seconds of lifetime left, it won't be able to spawn a SW. Note that in the case of install/update, we do not prevent the creation of the job at this time, instead the job will fail during the check script evaluation step as failure to spawn the ServiceWorker is equivalent to a script load failure. A somewhat ugly part of this implementation is that because Bug 1853706 is not yet implemented, our actors that are fundamentally associated with a global don't have an inherent understanding of their relationship to that global. So we approximate that by: - For postMessage, we always have a ServiceWorkerDescriptor if we are being messaged by a ServiceWorker, allowing us direct lookup. - ServiceWorkerRegistration.update(): In a previous patch in the stack we had ServiceWorkerRegistrationProxy latch the ClientInfo of its owning global when it was created. Note that in the case of a ServiceWorker's own registration, this will be created at startup before the worker hits the execution ready state. - Note that because we have at most one live ServiceWorkerRegistration per global at a time, and the registration is fundamentally associated with the ServiceWorkerGlobalScope, that registration and its proxy will remain alive for the duration of the global. - ServiceWorkerContainer.register(): We already were sending the client info along with the register call (as well as all other calls on the container). Looking up the ServiceWorker from its client is not something that was really intended. This is further complicated by ServiceWorkerManager being authoritative for ServiceWorkers on the parent process main thread whereas the ClientManagerService is authoritative on PBackground and actor-centric, making sketchy multi-threaded maps not really an option. Looking up the ServiceWorker from a ServiceWorkerDescriptor is intended, but the primary intent in those cases is so that the recipient of such a descriptor can easily create a ServiceWorker instance that is live-updating (by way of its owning ServiceWorkerRegistration; we don't have IPC actors directly for ServiceWorkers, just the registration). Adding the descriptor to clients until Bug 1853706 is implemented would be an exceedingly ugly workaround because it would greatly complicate the existing plumbing code, and a lot of the code is confusing enough as-is. This patch initially adopted an approach of encoding the scope of a ServiceWorker as its client URL, but it turns out web extension ServiceWorker support (reasonably) assumed the URL would be the script URL so the original behavior was restored and when performing our lookup we just check all registrations associated with the given origin. This is okay because register and update calls are inherently expensive, rare operations and the overhead of the additional checks is marginal. Additionally, we can remove this logic once Bug 1853706 is implemented. As part of that initial scope tunneling was that, as noted above, we do sample the ClientInfo for a ServiceWorker's own registration before the worker is execution-ready. And prior to this patch, we only would populate the URL during execution-ready because for most globals, we can't possibly know the URL when the ClientSource is created. However, for ServiceWorkers we can. Because we also want to know what the id of the ServiceWorker client would be, we also change the creation of the ServiceWorker ClientSource so that it uses a ClientInfo created by the authoritative ServiceWorkerPrivate in its Initialize method. A minor retained hack is that because the worker scriptloader propagates its CSP structure onto its ClientInfo (but not its ClientSource, which feels weird, but makes sense) and that does get sent via register(), we do also need to normalize the ClientInfo in the parent when we do equality checking to have it ignore the CSP. Differential Revision: https://phabricator.services.mozilla.com/D180915 |
||
---|---|---|
.. | ||
api | ||
manager | ||
moz.build |