Open Bug 1924067 Opened 1 year ago Updated 1 year ago

Consider requiring applicationServerKey

Categories

(Core :: DOM: Push Subscriptions, task, P5)

Product:
Core
Component:
DOM: Push Subscriptions
Type:
task

Tracking

()

People

(Reporter: saschanaz, Unassigned)

References

Details

Safari already requires applicationServerKey on PushManager.subscribe(), and Chrome somehow returns a non-resolving promise with a console warning without it, which makes Firefox the only implementation allowing omission.

This gets... complicated.

the applicationServerKey is part of the VAPID protocol, which is part of the "Restricted Push Message Subscription" aspect. Since VAPID is Voluntary, the applicationServerKey is not strictly required by the Push protocol. (It's not mentioned in RFC8030).

The PushManager-getsubscription notes that the options for the subscribe() function can contain the applicationServerKey, but again, it's not required.

Google has always been non-standard and required the VAPID header. Mozilla has never required the VAPID header (although the non-standard thing that Mozilla requires is that IF you specify a VAPID header it MUST contain a sub. This value is there in case there's a significant problem with Push service usage, so that we have a way to contact the publishing party otherwise the value is discarded quickly). I have no idea why Google has always required the VAPID header, but I suspect it is to ensure that only Google users are able to use Push notifications.
Apple appears to also require the Voluntary Application Identification (VAPID) header, I suspect for similar reasons. Since Mozilla does not require an account in order to use our Push service requiring Publishing services to create a VAPID public key in order to send messages may be viewed as burdensome for both technical and non-technical reasons.

[tl:dr; Might want to hold off on this for review from folk.]

I don't think Google account is required for push, as my non-signed-in Chrome Canary can still get a push notification. (Such requirement would be very very weird and confusing to everyone.) But yeah, might want to first understand why they force it.

(This bug is just for record, no intention to work on it without a good consensus.)

Severity: -- → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.