- From: magnus-git <notifications@github.com>
- Date: Sun, 25 Jun 2017 18:46:08 -0700
- To: w3c/push-api <push-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/push-api/issues/273@github.com>
I am a member of the IETF Security Directorate and have been asked to review this document from a security perspective by Sam Weiler, as part of a W3C trial attempting to get broader security reviews of W3C specs before they are published as recommendations. These comments were written primarily for the benefit of said trial. Document editors and WG chairs should treat these comments just like any other comments. Observations: - The Security Considerations sections note that there's no way for the user agent to validate that a push message was sent by an application server having the same origin as the webapp since "the application server is able to share the details necessary to use a push subscription with a third party at its own discretion." Is this undesirable behavior? If so, I am a little puzzled by the statement since I thought the webapp's ECDH public key could be used for identification (e.g., if provided in the form of a certificate). I may miss some context here though. - The text talks about no reuse of push endpoints for new push subscriptions etc., but seems to be silent on good practices for selecting good endpoints. For example, if a user agents selects them in a predictable manner, this would also seem to allow for situations of "cross-subscription" push messages? If that's the case, then maybe provide guidance on how push endpoints shall be generated? Editorial: - In the Security Considerations section, "necessary to to use" -> "necessary to use" /M -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/issues/273
Received on Monday, 26 June 2017 01:46:41 UTC