- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 17 Jul 2012 02:53:54 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Web Notification WG <public-web-notification@w3.org>
On Tue, Jul 17, 2012 at 2:48 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Jul 10, 2012 at 11:05 AM, Jonas Sicking <jonas@sicking.cc> wrote: >> 1. It's not possible to specify icons of different sizes. For example >> specify 32x32, 64x64 and 128x128 icons. This would be nice in order to >> use the same notification API on large desktop screens as well as >> small mobile screens. > > I think we can address this in a future version. Developers can > address this today by implementing the negotiation themselves. I'm fine with addressing this in a future version. >> 2. A website can see if the user is displaying the notifications by >> checking if the server is pinged when the notification API is called. > > As others have indicated the show event does this as well. In addition > the permission API exposes whether notifications will be displayed > too. Indeed. >> 3. The fact that icons and titles can be set on a per-notification >> basis makes it very easy to trick the user into thinking that a >> notification is coming from someplace other than where it's coming. >> For example it's very easy for a website to create a notification with >> the facebook icon and a "Facebook" title to trick the user into >> navigating to a phishing website. This is especially true once >> facebook starts using the notification API. Hence as things stand, >> this creates a disincentive for websites to start using notifications. >> We can somewhat easily fold the title into the body by making the >> notification body something like "title + ': ' + body". However we >> can't do the same thing with the icon. > > The site would still need permission to show such a notification though. Indeed. But it makes it a lot easier to phish the user: Build a simple game and then ask the user for permission to display notifications "so we can tell you when your friends beat your high score". Then wait a bit and send a notification with the facebook icon which when clicked brings the user to a facebook-login-lookalike page. / Jonas
Received on Tuesday, 17 July 2012 09:54:57 UTC