W3C home > Mailing lists > Public > public-web-notification@w3.org > July 2012

Re: renamed iconUrl to icon

From: Andrew Wilson <atwilson@google.com>
Date: Tue, 17 Jul 2012 23:00:24 -0700
Message-ID: <CAArhhiseW=PJ-TnzO1Y=Gh9TA+5NCdX5Zf5teP5SqGYggetHdA@mail.gmail.com>
To: Jonas Sicking <jonas@sicking.cc>
Cc: Anne van Kesteren <annevk@annevk.nl>, Web Notification WG <public-web-notification@w3.org>
On Tue, Jul 17, 2012 at 2:53 AM, Jonas Sicking <jonas@sicking.cc> wrote:

> On Tue, Jul 17, 2012 at 2:48 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
> > On Tue, Jul 10, 2012 at 11:05 AM, Jonas Sicking <jonas@sicking.cc>
> wrote:
> >> 1. It's not possible to specify icons of different sizes. For example
> >> specify 32x32, 64x64 and 128x128 icons. This would be nice in order to
> >> use the same notification API on large desktop screens as well as
> >> small mobile screens.
> >
> > I think we can address this in a future version. Developers can
> > address this today by implementing the negotiation themselves.
> I'm fine with addressing this in a future version.
> >> 2. A website can see if the user is displaying the notifications by
> >> checking if the server is pinged when the notification API is called.
> >
> > As others have indicated the show event does this as well. In addition
> > the permission API exposes whether notifications will be displayed
> > too.
> Indeed.
> >> 3. The fact that icons and titles can be set on a per-notification
> >> basis makes it very easy to trick the user into thinking that a
> >> notification is coming from someplace other than where it's coming.
> >> For example it's very easy for a website to create a notification with
> >> the facebook icon and a "Facebook" title to trick the user into
> >> navigating to a phishing website. This is especially true once
> >> facebook starts using the notification API. Hence as things stand,
> >> this creates a disincentive for websites to start using notifications.
> >> We can somewhat easily fold the title into the body by making the
> >> notification body something like "title + ': ' + body". However we
> >> can't do the same thing with the icon.
> >
> > The site would still need permission to show such a notification though.
> Indeed. But it makes it a lot easier to phish the user: Build a simple
> game and then ask the user for permission to display notifications "so
> we can tell you when your friends beat your high score". Then wait a
> bit and send a notification with the facebook icon which when clicked
> brings the user to a facebook-login-lookalike page.

Again, I think the onus is on the UA to ensure that the source of a
notification is clear to minimize fishing opportunities. I don't believe
that the icon in notifications will commonly be used to indicate the source
domain, but rather will be used to provide contextual information about the
notification (profile image of a facebook friend who sent you a message,
etc) meaning that the icon will be not particularly useful as an avenue for
phishing in any case.

But by trying to prevent web apps from using arbitrary dynamic icons for
their notification, you will not only make notification icons far less
useful, you'll actually make phishing *more* likely because web apps will
*only* use icons to display their logo (since they only get a single icon
and they have to display it to the user at the time of the permission
grant, they won't be able to use them to display contextual information).

> / Jonas
Received on Wednesday, 18 July 2012 06:00:52 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:14 UTC