- From: Peter Beverloo <notifications@github.com>
- Date: Mon, 24 Oct 2016 10:00:35 -0700
- To: w3c/push-api <push-api@noreply.github.com>
- Message-ID: <w3c/push-api/issues/211/255800245@github.com>
We have the following text in the specification: > A push subscription is a message delivery context established between the user agent and the push service on behalf of a webapp. Each push subscription is associated with a service worker registration and a service worker registration has at most one push subscription. It defines the association between a _push subscription_ and a _service worker registration_. The registration has a _scope url_ that is an absolute URL that includes the origin. The availability of this data on the client-side is therefore restricted to that origin. Whether the data send over the push subscription strictly comes from an application server for that origin is an unknown. If _foo.com_ shares their private key with _bar.com_ so that the latter can send messages on their behalf, there's nothing we can do about it. However, we can reasonably assume that this happened at the discretion of _foo.com_. Does this cover what you'd like to see explained in the spec? I'll propose something if so. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/issues/211#issuecomment-255800245
Received on Monday, 24 October 2016 17:01:09 UTC