Re: [w3c/push-api] A javascript api for sending push notifications to others (#303) from Gustav Corpas on 2023-03-23 (public-webapps-github@w3.org from March 2023)

From: Gustav Corpas <notifications@github.com>
Date: Thu, 23 Mar 2023 09:48:12 -0700
To: w3c/push-api <push-api@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/push-api/issues/303/1481534550@github.com>

I just wanted to leave my two cents on this matter..
If there is a discussion forum that is more suited for this matter please let me know.

## A case for Peer to peer web push

The effects of GDPR as well as ethical and economic costs of running centralized servers will ( and has already ) increased the demand for peer-to-peer decentralized applications.

From what I can tell from this thread all major web push services are using a CORS policy that makes it impossible for the browser to create and send a web push notification. This is IMO stifiling innovation in the peer-to-peer space.

It is already possible for a client to build and share all the necessary web push things entirely in the browser via the web crypto api.

The only purpose of this CORS policy is to disallow browsers to initiate the push message.
Sharing and key generation can already happen entirely in the browser.

If this issue is not solved we may in the future see an increase in third party services acting as CORS proxies, or services more explicitly accepting JWT tokens to pass along to the web push service provider.
This is bad practise using unnessesary actors in the exchange.

### Security concerns:
I am not a professional, but consider the following.

The main security concern is that the service worker can be leveraged to display notifications containing malicious content; e.g. links to other fraudulent sites.

Assuming a dishonest website there are no security gains from disallowing the browser to initiate push notifications, as the server holds the private vapid keys to sign JTW tokens today.

Assuming an honest website owner there may be an increased implementation risk, as vapid keys need to be passed securely to other users. However, this is already possible today. Only the actual request to the push service endpoint is disallowed in browsers.

Also consider that notifications are tied to the application, and users can always revoke notifications form certain apps.

Forcing developers into insecure solutions based on unnecessary proxies is IMO much more damaging than embracing this trend and supporting developers with standardized libraries and good documentation.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/push-api/issues/303#issuecomment-1481534550
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/push-api/issues/303/1481534550@github.com>

Received on Thursday, 23 March 2023 16:48:24 UTC