With Firebase Cloud Messaging for Web,
1. Does my web application domain still require SSL?
2. Or only the service worker.js needs to be on an SSL site? if so, can I host the service worker on an SSL site but keep my web application on a non-SSL site?
Any feedback is much appreciated.
Thank you,
Christina
To use a service worker the following condition must be met:
This means the site registering the service worker must on on HTTPS and the service worker, which has to be on the same origin, will be served over HTTPS as a result.
(There is a future API to get around this but has it's own complications - Foreign Fetch)
One common way around this is to host a website on SSL that is solely used for push and either redirect to this page OR embed as an iframe.
The caveat here is a poor user experience with the redirect and there is no guarantee that the iframe approach will work in the future.
Generally, given the number of new APIs that require HTTPS, I'd strongly recommend checking out Lets Encrypt for free TLS certificates OR trying out a service like CloudFlare which will give you HTTPS.
The service worker registration is associated to the domain from which it is served.
I haven't tested but I'm pretty sure that you cannot do that. Indeed a man in the middle would be able to compromise your non-SSL page and register a service worker from a malicious website, thus associating a malicious service worker to your domain.
Obviously you don't need to secure all your application: you can use SSL just for the pages that need the service worker.
BTW if you need web push notifications and you don't have an SSL take a look at Pushpad Express (I am the founder)