Re: [w3c/push-api] A javascript api for sending push notifications to others (#303) from Evan Brass on 2021-12-21 (public-webapps-github@w3.org from December 2021)

From: Evan Brass <notifications@github.com>
Date: Mon, 20 Dec 2021 23:31:53 -0800
To: w3c/push-api <push-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/push-api/issues/303/998538916@github.com>

With this slight change, two users (which tend to have addresses that vary) could signal / bootstrap a WebRTC connection between them.

What excites me is that a universal WebRTC signaling protocol could be created on top of WebPush.  For browser <-> browser peers they would use whatever push service is provided by the browser.  For native applications or browsers that don't support WebPush or browsers with push services that require CORS they could use subscriptions from Mozilla Autopush.  Lastly, for server peers, the server could act as its own push service so it wouldn't be dependent on anything other servers. That way all peers in the network are equal (can be bootstrapped from) and signal their peer-connections in the same protocol.

> A user would share his endpoint directly with other users, but notifications are *associated to a domain name!* (and to its authority, permissions, etc.).
True, any app that makes its push info public would need to be careful when parsing the resulting messages.  It would also probably need to add signatures to the messages since you otherwise couldn't know who was sending you the message.  Lastly, it would be a form of cross-origin communication because any website with your push info can send you a message.

> 1. share the endpoint with the world
True, If abuse is noticed by either the client or the server they can invalidate / unsubscribe from the push subscription.  VAPID is mandatory now, and each token is valid for no more than 48hr (if I remember correctly).  Assuming you don't give away your application server key then you would need to provide the other person with a signed VAPID token limiting their abuse to ~48 hours (or however far out you pre-sign keys).

> 2. someone can send phishing or any other dangerous content to that user
Right, a website would need to be careful parsing.  I agree that it's totally an abuse of the "notification" system to do this and protecting users might necessitate not allowing it.  Browser's have tried to limit this use case by requiring web apps to produce a notification for every push message they receive (a default notification is created if the app doesn't create one).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/issues/303#issuecomment-998538916
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/push-api/issues/303/998538916@github.com>

Received on Tuesday, 21 December 2021 07:32:05 UTC