Re: [w3c/push-api] Security review of Push API W3C Working Draft 23 June 2017 (#273) from magnus-git on 2017-06-26 (public-webapps-github@w3.org from June 2017)

From: magnus-git <notifications@github.com>
Date: Mon, 26 Jun 2017 14:28:06 -0700
To: w3c/push-api <push-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/push-api/issues/273/311187179@github.com>

Thanks Peter.
On #274 , would it make sense to point to some existing resource providing guidance for how to generate such identifier? Perhaps just referring to the Privacy Considerations in RFC 8030 is sufficient, in addition to the text you suggested?
One additional observation: Accepting a push subscription seems to enable the webapp / application server to remotely "wake up" the service worker and thus potentially incur network traffic and possible other resource usage for the user as a result. Perhaps the Security Considerations section should indicate the need to inform the user about possible consequences of entering into such an agreement?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/issues/273#issuecomment-311187179

Received on Monday, 26 June 2017 21:28:37 UTC