Re: [Webpush] Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)
Martin Thomson <martin.thomson@gmail.com> Mon, 17 October 2016 10:04 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B90F129435; Mon, 17 Oct 2016 03:04:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gq0CNJ0A4RiQ; Mon, 17 Oct 2016 03:04:43 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 760591294EE; Mon, 17 Oct 2016 03:04:43 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id f128so215898397qkb.1; Mon, 17 Oct 2016 03:04:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bsYsCiDRG/Em9D5VaA+lcuBGZ12eD1H4WdcBTMUo9Ew=; b=qRFeu+2JRAIB2LjVpSuQw/souhNWBWLbe+QUTvKMcskuSwG5WExplMJp9aUMxSek4Q CNyA1/4qaJpbDJeORb0MRAXDr9wFYGYhTsjcPtfI3cWwIm1l3emyoxA36+GwP+dm5JhE xHZ4sjiem9kmONt0wk5WBwRWF4/QqHTiNoNWUNkG87XwtlrzJNJhx2vqV59yq7kM6jat o+qMZC9sBpIhL1NHbJdyIP6AQh5ixoJZ4FBSlH//Rsqy3/pJIuDcJVW7TVHrO4EBrO01 6Hb8leznJyYXKL2gMU21Tdv/pp2Kj1CzpGNF7w584sBW6rqH91J4dVpNzLaQ8oeQxW24 3wWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bsYsCiDRG/Em9D5VaA+lcuBGZ12eD1H4WdcBTMUo9Ew=; b=VaBBZ9gbkTsoI5IUUotGjI14JApXEMA5RdhlMFtR9euFlTahf5xfII+rjwx7Vzwb+N fFOxUREmLetlEVgliIG+02pLcnvxis5DpYrdMv4mVky9B0AmSFKzZcd1288HjYJs3mas v5ECVGeBSkVRuxNYRRMq/0Wd4MACi01LS1E/3v1fjsQhWnL1M12oHW2pxd9Tf5PrN4hi VRU/SSZMaRhUEp+or1gbdl7qj7+cEWh1pno8iUv0Oxsy7ADG4GQzCbBnKjwvcr0x/lQq s0WoogBITqC825KVzgYYF19Ln81lgIwh7JtVGJH4OzgaWmLFs8D+5ZQ030bxzZgmPtzH dncQ==
X-Gm-Message-State: AA6/9RmgmRPBsuEHAGx1bUAH83ccPhD9hB+CZO8FoOJGut6atNJy9paPmCLsVfaQH7cBcKPH3uzxlBBHkL5Z0g==
X-Received: by 10.55.155.15 with SMTP id d15mr22437378qke.115.1476698681712; Mon, 17 Oct 2016 03:04:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.7 with HTTP; Mon, 17 Oct 2016 03:04:40 -0700 (PDT)
In-Reply-To: <77e09f1f-04de-7819-92ea-9e4609cd853d@cs.tcd.ie>
References: <CY1PR03MB238089D350CD6A78DB9E80BE83DF0@CY1PR03MB2380.namprd03.prod.outlook.com> <5816348f-015a-beca-a5e6-3883fff02aab@cs.tcd.ie> <CY1PR03MB2380AE2A057528E2B17FA0B083DF0@CY1PR03MB2380.namprd03.prod.outlook.com> <CY1PR03MB2380D52D2AA9CC7D60EA5FA883D00@CY1PR03MB2380.namprd03.prod.outlook.com> <77e09f1f-04de-7819-92ea-9e4609cd853d@cs.tcd.ie>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 17 Oct 2016 21:04:40 +1100
Message-ID: <CABkgnnUXDpd_raGe1ugJEM8aeR4=oh-fqT-raWe2+6ZAMd5uVQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/AVaO6ZcF0MoQ6q3etlbnAJKWkZQ>
Cc: Brian Raymor <Brian.Raymor@microsoft.com>, Shida Schubert <shida@ntt-at.com>, The IESG <iesg@ietf.org>, "draft-ietf-webpush-protocol@ietf.org" <draft-ietf-webpush-protocol@ietf.org>, "webpush-chairs@ietf.org" <webpush-chairs@ietf.org>, "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 10:04:45 -0000
On 17 October 2016 at 18:13, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > I think the MAY there is what got me into a confused state. > Say if a UA knows to use port 1001 on example.net and just > goes there, then the UA will treat the content as having the > origin example.net:1001. If however the UA goes to example.net > on port 443 first and then sees an alt-svc, then when it goes > to port 1001 it'll treat the content as having origin just > example.net. Correct. That is a good summary of how Alt-Svc interacts here. > I guess that'll make a difference in how the UA > handles pushed content. Actually it won't because it doesn't treat the content it retrieves as belonging to a particular origin. The information that is received is handled by the UA (not any application that resides in it, in the case of a browser). As a browser, with origins and all that business, we don't actually treat content as subject to SOP until we've received the push message, decrypted it, and actually handed it to the origin. Because the content we receive from a push service rightfully belongs to many origins, we have to treat it specially. The push service is aware of its role in this, so we don't need to ask special permission to share either. It did implement the protocol after all. Thus, the data we source there isn't treated as cross-origin. We do exactly the same for the geolocation API when we get a location from a server. (I could also explain how you can follow the crypto and see that the data isn't cross-origin at all, but that would be just sophistry.) Either way, I believe that what you are asking for rightfully belongs in the API part, since we're trying to make the protocol pieces ignorant of all that disgusting browser gunk. Happy to add something as editor of the API pieces, but not entirely sure what. It's strange because it's entirely too obvious to me to the point that I didn't really know what you were on about, but then you are right that we never actually write this stuff down. Opened https://github.com/w3c/push-api/issues/211
- [Webpush] Stephen Farrell's Discuss on draft-ietf… Stephen Farrell
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Brian Raymor
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Brian Raymor
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Brian Raymor
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Martin Thomson
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Brian Raymor
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Stephen Farrell
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Brian Raymor
- Re: [Webpush] Stephen Farrell's Discuss on draft-… Stephen Farrell