- From: JR Conlin <notifications@github.com>
- Date: Mon, 20 Dec 2021 10:24:25 -0800
- To: w3c/push-api <push-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 20 December 2021 18:24:38 UTC
I'm going to push back a bit on the VAPID requirement, mostly because VAPID is (supposed to be) Voluntary. It's also quite possible to generate VAPID headers on-the-fly, since they're bound to a given subscription, and that subscription may be as ephemeral as a test page. Heck, the body content of a push message is also optional, which means you don't have to have encryption if the body is empty, and the recipient would just get push event. It's absolutely true that you don't want to expose the full subscription info block (the endpoint + encryption credentials) to anyone, since those could be used to send messages as the subscription provider. VAPID provides a bit of extra protection there since the Key should be generated externally. Technically, that can still be true if the VAPID key is generated outside of the web app, and the user trusts that the private key is never communicated outside of the app. It's absolutely possible to generate the VAPID key in javascript using WebCrypto libraries. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/issues/303#issuecomment-998167587 You are receiving this because you are subscribed to this thread. Message ID: <w3c/push-api/issues/303/998167587@github.com>
Received on Monday, 20 December 2021 18:24:38 UTC