Why does service worker won't work on http sites?

Question

I am learning about service worker API. I found more cool features in it. But what excites me is that why it work only on https site and not on http site?.

I believe this is something to do with security yet I couldn't find the reason while I browse. So any explanation explaining this is appreciated...

Answer 1

To complement @deceze answer, if an attacker man-in-the-middle a connection to an HTTP site, it can compromises this site this time only — a later connection to the site is not guaranteed to be compromised, and for instance for attacks that rely on local network accesses, may not be easily reproductible.

If one could use a service worker on http web sites, an attacker needs to just do one man-in-the-middle attack to be forever (or at least until that browser is cleared) the source of the content for the said site.

Answer 2

Since service workers are rather powerful, being able to run even when the original page is no longer open, you'll really want to limit who can set up a service worker and who can't. Since a plain HTTP request is very easily man-in-the-middled, any random Javascript could be injected into such a request, which could set up a service worker. Which means, your ISP, a government like China, or a serious attacker could set up service workers very easily. By requiring an HTTPS connection, men-in-the-middle are largely avoided and you can at least assure that the Javascript that sets up the service worker actually came from the page you think it did.