Why do I need to place a Service Worker File on my site for Web Push Notifications?

The Aimtell Service Worker enables the handling of delivering notifications to your subscribers. Without it, you miss out on sending your subscribers notifications no matter where they are or what they are doing.

Quick Background

Service Workers (SW) are relatively new features made available to all modern browsers as part of the Progressive Web App initiative. The goal behind the SW is to provide functionality previously only made available to mobile apps such as Push Notifications and offline browsing.

Explanation

The reason why these files must be uploaded to the site, and not uploaded via code or through a tag manager, (e.g. https://www.winzip.com/aimtell-worker.jshttps://www.legacy.com/aimtell-worker.jshttps://www.blinds.com/aimtell-worker.js) is two-fold:

  1. This file actually runs completely detached from the DOM / your website visitor's “session”. Even once they’ve left your site the SW still runs. This is how we’re able to deliver a notification to the individual even if the phone is in their pocket, or if they haven’t been to your site in weeks and are currently browsing Amazon.com. Had it been simply a code on the site, it would only be able to be initiated once someone is on your site, rather than the powerful ability to deliver pushes at any time, any place.
  2. The browser enforces this as a security measure that essentially validates you own the domain. Had this not been in place, someone could in theory find an XSS Vulnerability (Wikipedia Article) which in turn could become an immense security issue because they could initiate a malicious SW.
    1. Typically an XSS vulnerability allows a specifically crafted URL to grab some sensitive data of a visitor. This is already terrible of course and one of the biggest security issues the internet sees. 
    2. Now, if someone was able to initiate a SW through an XSS (because they can just point to a CDN for the SW or embed the Javascript), they would be able to register this SW and essentially have been able to start sending push notifications on your behalf to the visitor who viewed the malicious URL. What would have been a one-off security risk (described in a.) would now be a vulnerability spanning months or years. Simply enforcing the SW to be on your site means that even if, heaven forbid, someone found an XSS vulnerability on your site, they couldn’t take over Push Notifications on your behalf.

Why can't I upload the SW as a Tag via my TagManager?

Most tag managers only support uploading of Javascript snippets rather than full-blown javascript files. From the ease of installation perspective, we certainly wish one could simply add a javascript tag to a site and circumvent the need to upload the SW file.

However, this limitation, which is not specific to just Aimtell and is enforced by the browser itself, is actually a good thing for the web as a whole. See the reasons above for more on why you need a Service Worker in general.