W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2016

[whatwg] Push API and Endpoints

From: Michael A. Peters <mpeters@domblogger.net>
Date: Tue, 15 Nov 2016 23:29:02 -0800
To: whatwg@lists.whatwg.org
Message-ID: <976e2dc5-fd8a-380e-a45f-41ac3d7fc1a3@domblogger.net>
I'm starting to play with Push API and it dawned on me -

The client retrieves the enpoint from the browser and sends it to the 
web application server.

The web application server then sends data to the endpoint, using the 
data provided by the client.

Is there any mechanism by which the application server can actually 
verify the endpoint domain actually is an endpoint domain and not some 
domain submitted by someone playing a prank?

I suppose we can whitelist known valid endpoint domains but it would be 
better if there was some official mechanism by which the client can 
verify that the notifications being sent to that domain are actually 

Like maybe a DNS TXT record that can be fetched when the application 
server comes across a domain it hasn't verified before.
Received on Wednesday, 16 November 2016 07:29:39 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:40 UTC