W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2014

[push-api] No clear mention of privacy implication of sending data through push service

From: Tobie Langel <tobie.langel@gmail.com>
Date: Mon, 17 Feb 2014 12:02:08 +0100
Message-ID: <CAMK=o4eLpSx6Ea672TSk8mL54pxU-KJU_bahH72K9GFySPLJ0Q@mail.gmail.com>
To: public-webapps@w3.org
Hi,

Was just skimming through the Push API spec.

I'm aware that no payload is sent with push message for privacy reasons (as
push service is most certainly a third party), but that isn't mentioned in
the spec.

I suggest adding a non-normative note that:

1. describes the reasons of this architectural decision (the privacy
concern),
2. describes a possible work-around (xhr request to App Server to get the
data),
3. eventually mentions some of the benefits (e.g. payload can be always up
to date even if notification is stale).

Secondly, the very helpful sequence diagram contained in the spec could be
amended like so (to hint at this work-around):

  +--------+           +--------+             +--------+
+--------+
  | webapp |           |  user  |             |  push  |           |  app
|
  |        |           | agent  |             | server |           | server
|
  +--------+           +--------+             +--------+
+--------+
      |                    |                      |                     |
      |-----register------>|                      |                     |
      |                    |                      |                     |
      |              (user accepts)               |                     |
      |                    |                      |                     |
      |                    |<-setup push service->|                     |
      |                    |                      |                     |
      |<---success---------|                      |                     |
      |                    |                      |                     |
      |<--activate service with PushService attributes----------------->|
      |                    |                      |                     |
      |                    |                      |<--push notification-|
      |                    |                      |   per service API   |
      |                    |                      |                     |
      |                    |             (match to user agent)          |
      |                    |                      |                     |
      |                    |<--push notification--|                     |
      |                    | per service protocol |                     |
      |                    |                      |                     |
      |            (match to webapp)              |                     |
      |                    |                      |                     |
      |<---system message--|                      |                     |
      |                    |                      |                     |
      |--------------------------XHR GET Request----------------------->|
      |                    |                      |                     |
      |<---------------------------Payload------------------------------|
      |                    |                      |                     |

Best,

--tobie
Received on Monday, 17 February 2014 11:02:37 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:22 UTC