Re: [w3c/push-api] Retry push event (#300) from Marco Colli on 2018-09-26 (public-webapps-github@w3.org from September 2018)

From: Marco Colli <notifications@github.com>
Date: Wed, 26 Sep 2018 14:36:45 -0700
To: w3c/push-api <push-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/push-api/issues/300/424878098@github.com>

Another reason for downloading the payload from the application server is that you get **an additional layer of security** (as I [described here](https://pushpad.xyz/security) some years ago). If you send payloads through the push service, an attacker that manages to steal secret data from the application database (e.g. endpoints and keys), can send fraudulent notifications to end users. Instead, if you download notification content from the application server, the hackers won't be able to show any notification... they can only send useless push signals.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/issues/300#issuecomment-424878098

Received on Wednesday, 26 September 2018 21:37:07 UTC