#98: W3C Push API - data payloads

Visit on Github.

Opened Dec 9, 2015

The W3C Push API has been updated by @martinthomson to allow developers to include a payload with the push messages they send. Such a payload must be encrypted, because the push service effectively is an untrusted intermediary.

The W3C bits are defined in https://w3c.github.io/push-api/

PushSubscription.getKey(type);  // "p256dh" or "auth", returning an ArrayBuffer
PushSubscription serializer;  // includes the keys, base64url encoded, in the JSON
PushMessageData
PushEvent.data

The client-side JavaScript will normally not be exposed to the encryption requirement - this is done by the application server. The data available in PushEvent.data will have been decrypted already.

The encryption routines themselves are defined in the following two IETF drafts:

Chrome and Firefox are both eager to ship.

/cc @mvano

Discussions

Comment by @dbaron Dec 16, 2015 (See Github)

Are there any issues you (for any "you" on the issue) are aware of that you think are particularly interesting for the TAG to look into, or that raise any architectural or cross-specification issues?

Comment by @martinthomson Dec 17, 2015 (See Github)

I don't think that extra data is particularly special here. The single bit that arrives when you don't have data payloads on the message already exposed all the big questions. This is merely an optimization on what we already have.

Comment by @mnot Jan 14, 2016 (See Github)

Discussed at Melbourne F2F; general support for encrypted payloads in this use case; we don't have comments on the details of the crypto because we're not expert there.