New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 7 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Blocking:
issue 434808



Sign in to add a comment

W3C Push API events should not carry a payload for now

Project Member Reported by peter@chromium.org, Jan 15 2015

Issue description

Until the API mandates encryption of incoming push messages, we've chosen to not expose the message's payload to developers for the time being due to man-in-the-middle concerns of unencrypted payloads.

Without a payload, pushes are much more of a "ping", but the developer can still request the latest state from their server using a separate fetch() call.

Encryption of messages are being discussed in the W3C Push API's repository, as well as part of the Web Push Protocol at the IETF side.

https://github.com/w3c/push-api/issues/55
https://datatracker.ietf.org/wg/webpush/documents/
 
Project Member

Comment 1 by bugdroid1@chromium.org, Jan 24 2015

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=188932

------------------------------------------------------------------
r188932 | peter@chromium.org | 2015-01-24T18:20:43.704603Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/push_messaging/PushEvent.idl?r1=188932&r2=188931&pathrev=188932
   M http://src.chromium.org/viewvc/blink/trunk/Source/web/WebRuntimeFeatures.cpp?r1=188932&r2=188931&pathrev=188932
   M http://src.chromium.org/viewvc/blink/trunk/public/web/WebRuntimeFeatures.h?r1=188932&r2=188931&pathrev=188932
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/RuntimeEnabledFeatures.in?r1=188932&r2=188931&pathrev=188932
   M http://src.chromium.org/viewvc/blink/trunk/Source/modules/push_messaging/PushMessageData.idl?r1=188932&r2=188931&pathrev=188932

Separate push event data from the rest of the W3C Push API flag.

Supporting payloads for incoming push messages is blocked on resolving
a number of security concerns, key in which is enforcing encryption as
part of the W3C Push API. Not exposing the "data" attribute and the
PushMessageData object for PushEvents is the best option for now, which
allows developers to feature detect support for payloads.

Availability of the payloads will be toggled by the embedder.

This is part of a three-sided patch:
  [1] This patch.
  [2] https://codereview.chromium.org/874613002
  [3] https://codereview.chromium.org/869303002

BUG= 449184 

Review URL: https://codereview.chromium.org/872013002
-----------------------------------------------------------------

Comment 3 by peter@chromium.org, Jan 27 2015

Blocking: chromium:434808
Project Member

Comment 4 by bugdroid1@chromium.org, Jan 27 2015

The following revision refers to this bug:
  http://src.chromium.org/viewvc/blink?view=rev&rev=189040

------------------------------------------------------------------
r189040 | peter@chromium.org | 2015-01-27T17:18:49.801591Z

Changed paths:
   M http://src.chromium.org/viewvc/blink/trunk/Source/platform/RuntimeEnabledFeatures.in?r1=189040&r2=189039&pathrev=189040

Change the PushMessagingData runtime feature to be "test".

The embedder can separately enable this if they so desire, but meanwhile
we don't want the test coverage for the feature to rot either.

This is part of a three-sided patch:
  [1] https://codereview.chromium.org/872013002
  [2] https://codereview.chromium.org/874613002
  [3] This patch.

BUG= 449184 

Review URL: https://codereview.chromium.org/869303002
-----------------------------------------------------------------

Comment 5 by peter@chromium.org, Jan 27 2015

Status: Fixed

Comment 6 by joh...@chromium.org, Apr 14 2015

Labels: -Fizz-Push Cr-Blink-PushAPI

Sign in to add a comment