AFAIK, Web Notifications on Android are only allowed for HTTPS sites so showing schema wouldn't even make sense. Media notifications can be shown from an HTTP site. However it seems harmless enough.

Web Notifications work for HTTP and HTTPS origins.

Go to http://example.com, open DevTools and run code below:

Notification.requestPermission(function() {
  new Notification('Title', { body: 'I am the body text!' }); 
});

avayvod@ you're right. On Android here's what I get when running code above:

VM37:3 Uncaught TypeError: Failed to construct 'Notification': Illegal constructor. Use ServiceWorkerRegistration.showNotification() instead.

Note that on Desktop, we don't show protocol. See screenshot attached.

Deleted: Screenshot 2017-01-04 at 11.31.01 AM.png 149 KB

	Screenshot 2017-01-04 at 11.31.01 AM.png 149 KB View Download

palmer@, do you think the URL scheme can be removed in Android media notifications?

The context is, we show a media notification for a tab if it starts to play sound. The notification contains the origin of the page. The notification can show for http/https/file pages, and clicking the notification brings the tab to foreground.

It would also help to make Notification for Wearables a bit easier to read.  

Deleted: screen.png 86.8 KB

	screen.png 86.8 KB View Download

This would be a nice to have when launching the API. I think we should go ahead and write the change and give a few days to security-ux to come back to us. Media notifications are significantly less security-sensitive than regular notifications.

The standard advice is: https://www.chromium.org/Home/chromium-security/enamel#TOC-Presenting-Origins

You could show a lock icon (please use the standard icons, as used in the Omnibox), which would take up less space than "https://".

If it is the case that only secure origins could ever show these notifications, then you could get by without showing even a lock, since it would be redundant. That might be why we don't show the scheme or a security icon on desktop? I can't remember.

I got several screenshots using the "lock icon". See attached files

Deleted: lock_icon_m.png 112 KB

	lock_icon_m.png 112 KB View Download

Deleted: lock_icon_n.png 168 KB

	lock_icon_n.png 168 KB View Download

Deleted: lock_icon_wear.png 20.0 KB

	lock_icon_wear.png 20.0 KB View Download

Regular notifications on desktop don't show https:// but they can be used over http:// as far as I know. The lock icon sounds like it would save some space but attract too much attention. Is there a specific reason why a user would need to know if the origin is secure while playing audio?

After discussing this with security folks, it seems clear that this bug is a WontFix. We should focus on smaller screen estate with https://bugs.chromium.org/p/chromium/issues/detail?id=679358

WDYT?

Here's our conclusion over email:
- we are keeping the full origin with scheme on the device notifications.
- we no longer show the origin on Wear and instead show the artist's name.

I'm closing this as there's no action needed for the notification origin.