[w3c/push-api] Make it clear that an endpoint must contain a secure random (#301)

In the spec I can find this definition of *endpoint*:

> A push subscription has an associated push endpoint. It MUST be the absolute URL exposed by the push service where the application server can send push messages to. A push endpoint MUST uniquely identify the push subscription.

However you don't mention that **the endpoint must be hard to guess** (e.g. include a secure random). This was implicit for the first versions of the spec (VAPID was not present), but now I think that you should write that explicitly. All browsers currently do that but I cannot find it in the spec.

This is really important for security: for example the endpoint can be used by a Javascript SDK to update the data associated to that endpoint (e.g. tags) on the application server. If someone can guess an endpoint, then it can also alter the data (e.g. tags) associated to that endpoint in the database.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/issues/301

Received on Monday, 3 September 2018 19:53:22 UTC