- From: Chris McCormick <notifications@github.com>
- Date: Mon, 29 Jun 2026 08:20:21 -0700
- To: w3c/push-api <push-api@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 29 June 2026 15:20:24 UTC
chr15m left a comment (w3c/push-api#303) I'd like to advocate for recommending the web push servers SHOULD/MUST allow POST requests in the CORS response headers. The reason is very simple. It is possible to build PWAs where you can send messages p2p between two browser instances using WebRTC or a decentralized protocol like Nostr. That part is solved. What is not possible is to wake up that PWA and show a notification when a message comes in. That's basic chat app functionality currently missing. If the CORS settings were updated this scenario would be allowed and then entirely p2p web based chat apps could show notifications to users, which is a basic expectation of communications apps. As already discussed in the thread CORS does not seem to add any security, especially since anybody hostile can just use a CORS proxy. Only those trying to legitimately send push messages from a browser instane with no server are punished. I hope you will consider adding SHOULD/MUST to the spec to make this possible. -- Reply to this email directly or view it on GitHub: https://github.com/w3c/push-api/issues/303#issuecomment-4834152018 You are receiving this because you are subscribed to this thread. Message ID: <w3c/push-api/issues/303/4834152018@github.com>
Received on Monday, 29 June 2026 15:20:24 UTC