RE: [push-api] No clear mention of privacy implication of sending data through push service

Thanks for the comments, Tobie. I will provide an update draft proposal soon to address them.
Note also that I'm preparing a proposal to actually include a message body, and other enhancements to the current API to broaden support among browsers. I should have a draft for review in the next couple of weeks.
Given that such a body would be optional, it would be good in any event to include a flow as you propose.

Thanks,
Bryan Sullivan

From: Tobie Langel [mailto:tobie.langel@gmail.com]
Sent: Monday, February 17, 2014 4:02 AM
To: public-webapps@w3.org
Subject: [push-api] No clear mention of privacy implication of sending data through push service

Hi,

Was just skimming through the Push API spec.

I'm aware that no payload is sent with push message for privacy reasons (as push service is most certainly a third party), but that isn't mentioned in the spec.

I suggest adding a non-normative note that:

1. describes the reasons of this architectural decision (the privacy concern),
2. describes a possible work-around (xhr request to App Server to get the data),
3. eventually mentions some of the benefits (e.g. payload can be always up to date even if notification is stale).

Secondly, the very helpful sequence diagram contained in the spec could be amended like so (to hint at this work-around):

  +--------+           +--------+             +--------+           +--------+
  | webapp |           |  user  |             |  push  |           |  app   |
  |        |           | agent  |             | server |           | server |
  +--------+           +--------+             +--------+           +--------+
      |                    |                      |                     |
      |-----register------>|                      |                     |
      |                    |                      |                     |
      |              (user accepts)               |                     |
      |                    |                      |                     |
      |                    |<-setup push service->|                     |
      |                    |                      |                     |
      |<---success---------|                      |                     |
      |                    |                      |                     |
      |<--activate service with PushService attributes----------------->|
      |                    |                      |                     |
      |                    |                      |<--push notification-|
      |                    |                      |   per service API   |
      |                    |                      |                     |
      |                    |             (match to user agent)          |
      |                    |                      |                     |
      |                    |<--push notification--|                     |
      |                    | per service protocol |                     |
      |                    |                      |                     |
      |            (match to webapp)              |                     |
      |                    |                      |                     |
      |<---system message--|                      |                     |
      |                    |                      |                     |
      |--------------------------XHR GET Request----------------------->|
      |                    |                      |                     |
      |<---------------------------Payload------------------------------|
      |                    |                      |                     |

Best,

--tobie

Received on Tuesday, 18 February 2014 05:01:12 UTC