- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Tue, 15 Nov 2016 23:29:02 -0800
- To: whatwg@lists.whatwg.org
I'm starting to play with Push API and it dawned on me - The client retrieves the enpoint from the browser and sends it to the web application server. The web application server then sends data to the endpoint, using the data provided by the client. Is there any mechanism by which the application server can actually verify the endpoint domain actually is an endpoint domain and not some domain submitted by someone playing a prank? I suppose we can whitelist known valid endpoint domains but it would be better if there was some official mechanism by which the client can verify that the notifications being sent to that domain are actually welcome. Like maybe a DNS TXT record that can be fetched when the application server comes across a domain it hasn't verified before.
Received on Wednesday, 16 November 2016 07:29:39 UTC