- From: Martin Thomson <notifications@github.com>
- Date: Mon, 26 Jun 2017 09:15:54 -0700
- To: w3c/push-api <push-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 26 June 2017 16:16:33 UTC
martinthomson requested changes on this pull request.
You should reference the text in RFC 8030 about this: https://tools.ietf.org/html/rfc8030#section-8.2
> @@ -526,6 +526,13 @@
subscription</a> MUST be <a>deactivated</a>.
</p>
<p>
+ The <a>push endpoint</a> MUST NOT enable information about the user to be derived by actors
s/enable/expose
> @@ -526,6 +526,13 @@
subscription</a> MUST be <a>deactivated</a>.
</p>
<p>
+ The <a>push endpoint</a> MUST NOT enable information about the user to be derived by actors
+ other than the <a>push service</a>, such as the user's device, identity or location.
+ <a>Push services</a> that do not require <a>push subscriptions</a> to be restricted to an
+ <a>application server</a> [[!WEBPUSH-VAPID]] MUST NOT generate predictable
Why is this requirement only levied on endpoints that are NOT restricted? RFC 8030 is pretty clear on this point and restriction to an application server doesn't change that.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/pull/274#pullrequestreview-46309825
Received on Monday, 26 June 2017 16:16:33 UTC