Skip to content

fix(ratewise): 修復 PWA 冷啟動 HTTPS 連線不安全#493

Merged
s123104 merged 1 commit into
mainfrom
fix/pwa-https-cold-start
Jun 27, 2026
Merged

fix(ratewise): 修復 PWA 冷啟動 HTTPS 連線不安全#493
s123104 merged 1 commit into
mainfrom
fix/pwa-https-cold-start

Conversation

@s123104

@s123104 s123104 commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Summary

Root cause

#447 已將 start_url 改為絕對 HTTPS,但 SW 仍以 StaleWhileRevalidate 快取 .webmanifest。已安裝 PWA 冷啟動時可能讀到舊 manifest(相對 start_url),在 Chrome standalone + HTTPS-First 下觸發「此連結並不安全」。

另:scope 仍為相對路徑 /ratewise/,與絕對 HTTPS start_url 不一致。

Changed files

  • apps/ratewise/src/sw.ts
  • apps/ratewise/scripts/generate-manifest.mjs
  • apps/ratewise/public/manifest.webmanifest
  • apps/ratewise/src/__tests__/sw.test.ts
  • apps/ratewise/src/config/__tests__/build-scripts.test.ts
  • .changeset/pwa-https-cold-start-hotfix.md
  • docs/dev/002_development_reward_penalty_log.md

Test plan

  • pnpm --filter @app/ratewise test -- sw.test build-scripts.test(87 passed)
  • pre-push:typecheck + test + build:ratewise
  • CI green
  • Production:已安裝 PWA 線上冷啟動一次,新 SW 生效並丟棄舊 manifest 快取

QA verification matrix

# 項目 預期
Q1 Production curl headers 200 HTTPS、HSTS
Q2 manifest start_url / scope / id 絕對 https,scope = start_url
Q3 sw.js precache URLs 0 個 http://
Q4 manifest fetch NetworkOnly,無 SWR 7 天快取
Q5 dist/index.html mixed content 無 http 資源

#456 navigation timeout 決策(刻意不納入本 PR)

結論:保留 case 3 的 8s bounded timeout,不另開 follow-up 移除。

情境 行為 說明
case 1 暖快取 SWR 立即回傳 無 timeout
case 2 冷快取 + precache hit precache index.html 立即回傳 無 timeout(#456 舊 3s 全域 timeout 根因已在此消除)
case 3 precache miss Promise.race 8s 後 fallback offline.html 防止 hung network 無限白屏

#456 要移除的是舊版 3s 全域 navigation timeout(iOS eviction 時誤判離線),已在 hybrid SWR + precache-first 重構中移除。現行 8s 僅限 case 3,且有 sw.test.ts 行為測試覆蓋;移除會讓 precache 被驅逐且網路掛住時無限白屏。

reinstall banner:依 KISS 原則不納入;manifest NetworkOnly + 一次線上冷啟動即可讓新 SW 生效。

Notes

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions

Copy link
Copy Markdown
Contributor

✅ SEO 審計通過!所有 2026 標準驗證項目都符合要求。

  • ✅ Sitemap 2026 標準
  • ✅ Breadcrumb Schema
  • ✅ JSON-LD 結構化數據
  • ✅ 內部連結結構

- manifest.webmanifest 改 NetworkOnly,避免 SWR 快取舊版相對 start_url
- scope 同步絕對 HTTPS SSOT(與 #447 start_url 對齊)
- 補 sw/build-scripts 防回歸測試與 patch changeset

測試:pnpm --filter @app/ratewise test -- sw.test build-scripts.test;pnpm build:ratewise

Co-authored-by: Cursor <cursoragent@cursor.com>
@s123104 s123104 force-pushed the fix/pwa-https-cold-start branch from 6eacd2e to 3048542 Compare June 27, 2026 18:01
@github-actions

Copy link
Copy Markdown
Contributor

✅ SEO 審計通過!所有 2026 標準驗證項目都符合要求。

  • ✅ Sitemap 2026 標準
  • ✅ Breadcrumb Schema
  • ✅ JSON-LD 結構化數據
  • ✅ 內部連結結構

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant