[w3c/push-api] Security policies WRT Push traffic (#270)

It might be worth mentioning that this API is unusual in that there's no way to read this spec and implement firewall or IDS policies in support of push traffic.  Firebase exists, but does not appear to document any details of their implementation.  The editors are clearly aware of the possibility of Apple or Microsoft implementations, each which will have unique "on the wire" behavior (in the absence of any standard).  Thus, this API fans out into a murky and open-ended back end of protocol behavior, which will make it hard to manage, especially from a security perspective.

Please consider at least mentioning this very unusual approach in the security considerations.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/issues/270

Received on Thursday, 22 June 2017 17:30:44 UTC