RE: [push-api] No clear mention of privacy implication of sending data through push service

Mon, 17 Feb 2014 21:03:07 -0800 

Thanks for the comments, Tobie. I will provide an update draft proposal soon to 
address them.
Note also that I'm preparing a proposal to actually include a message body, and 
other enhancements to the current API to broaden support among browsers. I 
should have a draft for review in the next couple of weeks.
Given that such a body would be optional, it would be good in any event to 
include a flow as you propose.

Thanks,
Bryan Sullivan

From: Tobie Langel [mailto:tobie.lan...@gmail.com]
Sent: Monday, February 17, 2014 4:02 AM
To: public-webapps@w3.org
Subject: [push-api] No clear mention of privacy implication of sending data 
through push service

Hi,

Was just skimming through the Push API spec.

I'm aware that no payload is sent with push message for privacy reasons (as 
push service is most certainly a third party), but that isn't mentioned in the 
spec.

I suggest adding a non-normative note that:

1. describes the reasons of this architectural decision (the privacy concern),
2. describes a possible work-around (xhr request to App Server to get the data),
3. eventually mentions some of the benefits (e.g. payload can be always up to 
date even if notification is stale).

Secondly, the very helpful sequence diagram contained in the spec could be 
amended like so (to hint at this work-around):

  +--------+           +--------+             +--------+           +--------+
  | webapp |           |  user  |             |  push  |           |  app   |
  |        |           | agent  |             | server |           | server |
  +--------+           +--------+             +--------+           +--------+
      |                    |                      |                     |
      |-----register------>|                      |                     |
      |                    |                      |                     |
      |              (user accepts)               |                     |
      |                    |                      |                     |
      |                    |<-setup push service->|                     |
      |                    |                      |                     |
      |<---success---------|                      |                     |
      |                    |                      |                     |
      |<--activate service with PushService attributes----------------->|
      |                    |                      |                     |
      |                    |                      |<--push notification-|
      |                    |                      |   per service API   |
      |                    |                      |                     |
      |                    |             (match to user agent)          |
      |                    |                      |                     |
      |                    |<--push notification--|                     |
      |                    | per service protocol |                     |
      |                    |                      |                     |
      |            (match to webapp)              |                     |
      |                    |                      |                     |
      |<---system message--|                      |                     |
      |                    |                      |                     |
      |--------------------------XHR GET Request----------------------->|
      |                    |                      |                     |
      |<---------------------------Payload------------------------------|
      |                    |                      |                     |

Best,

--tobie

Reply via email to