New Audit: Avoid file versioning for certain file types

[Malvoz]

Developers should avoid versioning the URLs (as otherwise commonly used for cache-busting) of both service workers and web app manifest files as described in:

• https://developers.google.com/web/fundamentals/primers/service-workers/lifecycle#avoid-url-change
• Specify how updates work w3c/manifest#446 (comment)

/cc @jeffposnick

[jeffposnick]

It's a good thing to avoid, but it seems super-hard to detect, though? If someone does decide to, e.g., add a hash into a service worker file, how many characters will that hash have? What will separate the hash from the file name? All of that is up to the developer and is hard to generalize.

[Malvoz]

You're right, but there are some conventions that could be looked for. I think the convention usually looks something like: <filename>(./-)<hash>.<extension>, but also using query strings:
<filename>.<extension>?=<hash>.

Plus developers are free to name the files anything they want, too. I think service workers are mostly named sw.js, or service(-/_)worker.js. While manifests (web)manifest.json and *.webmanifest.

It may be that it isn't worth the effort of implementing such an audit, considering all the ways to version a file. I also don't have any data that suggests that this is even all that common of a mistake to support this audit request.

[Malvoz]

FWIW, the Sec-Fetch-Dest HTTP header exposes both the manifest and serviceworker request destinations.

[Malvoz]

This is a duplicate issue of #2570, closing.