I'm currently implementing Firebase to send Webpush notification on a not fully HTTPS webapp. As webpsuh is using service worker, I did some research and on Google Developers website it is stated:
You can only register service workers on pages served over HTTPS, so we know the service worker the browser receives hasn't been tampered with during its journey through the network.
Does this means it is possible to register a service worker from a HTTPS page even though the rest of the website is HTTP ?
Thanks in advance for any clarification !
EDIT
I've found this conversation on the w3c Github which say that service worker should be served over HTTPS, from what I understand it is possible to have other HTTP pages as long as communication with the service worker is served over HTTPS, am I getting this right?
From the debate about specifications, @ jyasskin said :
If the page requesting the SW isn't secure, and the SW is https but on an attacker-controlled domain, you haven't gained anything at all. Yes, the whole app will need to be https.
But this was said before service worker specifications were completely set, so not sure if this was the final way it was specified.
I've opened direclty on github an issue related to this particular question.
They were quick to respond that it is possible to register from a HTTPS page even though the rest of the website is HTTP, as long as it's in a secure context.
The browser will consider the https and http pages as 2 different website though and the service worker will not be able to have control over the http one.