W3C home > Mailing lists > Public > public-web-notification@w3.org > July 2012

Re: renamed iconUrl to icon

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 17 Jul 2012 02:53:54 -0700
Message-ID: <CA+c2ei-AO8C6usn3YGXMxRh5yLRkdQmPj7f8KUMQjDXbWfbUJQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Web Notification WG <public-web-notification@w3.org>
On Tue, Jul 17, 2012 at 2:48 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Tue, Jul 10, 2012 at 11:05 AM, Jonas Sicking <jonas@sicking.cc> wrote:
>> 1. It's not possible to specify icons of different sizes. For example
>> specify 32x32, 64x64 and 128x128 icons. This would be nice in order to
>> use the same notification API on large desktop screens as well as
>> small mobile screens.
> I think we can address this in a future version. Developers can
> address this today by implementing the negotiation themselves.

I'm fine with addressing this in a future version.

>> 2. A website can see if the user is displaying the notifications by
>> checking if the server is pinged when the notification API is called.
> As others have indicated the show event does this as well. In addition
> the permission API exposes whether notifications will be displayed
> too.


>> 3. The fact that icons and titles can be set on a per-notification
>> basis makes it very easy to trick the user into thinking that a
>> notification is coming from someplace other than where it's coming.
>> For example it's very easy for a website to create a notification with
>> the facebook icon and a "Facebook" title to trick the user into
>> navigating to a phishing website. This is especially true once
>> facebook starts using the notification API. Hence as things stand,
>> this creates a disincentive for websites to start using notifications.
>> We can somewhat easily fold the title into the body by making the
>> notification body something like "title + ': ' + body". However we
>> can't do the same thing with the icon.
> The site would still need permission to show such a notification though.

Indeed. But it makes it a lot easier to phish the user: Build a simple
game and then ask the user for permission to display notifications "so
we can tell you when your friends beat your high score". Then wait a
bit and send a notification with the facebook icon which when clicked
brings the user to a facebook-login-lookalike page.

/ Jonas
Received on Tuesday, 17 July 2012 09:54:57 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:14 UTC