- From: Peter Beverloo <notifications@github.com>
- Date: Mon, 26 Jun 2017 06:29:11 -0700
- To: w3c/push-api <push-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/push-api/issues/273/311059244@github.com>
Hi Magnus, thank you for the review! > The Security Considerations sections note that there's no way for the user agent to validate that a push message was sent by an application server having the same origin as the webapp since "the application server is able to share the details necessary to use a push subscription with a third party at its own discretion." Is this undesirable behavior? No, that's intended behaviour. Part of this is theoretical: there's no way for us to verify the originating origin or a push message if the application server decides to share their private key with other parties. Part of this is practical: there are valid use-cases for apps to do this, for instance a news feed aggregation client that receives updates from multiple agencies. > The text talks about no reuse of push endpoints for new push subscriptions etc., but seems to be silent on good practices for selecting good endpoints. Good point! I've uploaded a PR to address this, and would appreciate feedback: https://github.com/w3c/push-api/pull/274 > In the Security Considerations section, "necessary to to use" -> "necessary to use" Also addressed in the PR. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/issues/273#issuecomment-311059244
Received on Monday, 26 June 2017 13:29:45 UTC