Require [SecureContext] for interfaces with [Exposed=ServiceWorker] or not?

[saschanaz]

The current spec only adds [Exposed] to all service-worker-specific interfaces except ServiceWorkerGlobalScope. Other specs also generally prefers not to give SecureContext, per webref:

• Specs with SecureContext: push-api
• Specs without SecureContext: content-index, background-sync, background-fetch, payment-handle, cookie-store, periodic-background-sync

Gecko and Blink do not add [SecureContext] for those interfaces but WebKit does. (For Gecko, devtools allows non-secure context to temporarily run service worker so SecureContext doesn't make a lot of sense)

Given there's no spec other than push-api that adds SecureContext I filed w3c/push-api#397, but then found there's no explicit agreement nor guideline, and so the issue here.

[yoshisatoyanagisawa]

As you know, ServiceWorkers can be executed only in the secure context, and the clients must be in the secure context to access it. https://w3c.github.io/ServiceWorker/#secure-context
Therefore, even if there is no explicit SecureContext, I assume it actually be executed inside.

Is there any corner case scenarios having SecureContext or not matter?
...stepping back, in w3c/push-api#397, you say Firefox has a way to run ServiceWorker without secure context. Is that a case?