- From: JR Conlin <notifications@github.com>
- Date: Wed, 03 Apr 2019 10:22:19 -0700
- To: w3c/push-api <push-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/push-api/issues/303/479581964@github.com>
I think it's fairly reasonable for Push Subscription Servers to allow POST requests for subscription updates. A few things: 1) I've built a few javascript [WebPush test pages](https://mozilla-services.github.io/WebPushDataTestPage/) (although they use the older "aesgcm" encoding). The problem I tend to hit on are more around importing and deriving public keys inside of DOM level javascript. It works on Firefox, not so much on Chrome, but that's probably just my misunderstanding of Blink internals. 2) VAPID is how you identify yourself when you're pushing a subscription message. With firefox, it's optional. With Google, it's less optional. You can also use VAPID to create "restricted subscriptions" that are only valid if the same key is used to sign the VAPID header is used to lock the subscription. It's the application server key element of the [`.subscribe()`](https://developer.mozilla.org/en-US/docs/Web/API/PushManager/subscribe) call. 3) Push servers get a lot of trash like messages for expired push endpoints, badly formed messages, etc. One of the other goals of VAPID was to provide a way for you to say, "Hey, if you need to contact me, here's how you can." This can give our Ops folks a way to let you know there's a problem and let us help you fix it. So if you use some contact info like "bob@example.com" they're just going to black-hole all your data. Does that help? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/issues/303#issuecomment-479581964
Received on Wednesday, 3 April 2019 17:22:42 UTC