Harden Service Worker scope, origin, and persistence boundaries.
Scope:
- Enforce same-origin script and scope restrictions, path scope limits, secure-context requirements, and scheme restrictions.
- Keep file: URL service workers disabled except where explicit test hooks allow them.
- Origin-key registration stores, Cache API stores, and clients so cross-origin access is impossible.
- Add private browsing/session isolation hooks where the browser storage model supports them.
- Add Clear-Site-Data integration points for registrations and caches.
Acceptance criteria:
- Tests cover cross-origin script rejection, illegal scope rejection, unsupported schemes, origin-isolated cache access, private store separation, and clear-site-data deletion.
- Error names/messages are useful enough for e2e assertions.
- No security checks are bypassed for normal network URLs.