IETF Logo Mail Archive

Re: [Webpush] Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)

Martin Thomson <martin.thomson@gmail.com> Mon, 17 October 2016 10:04 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B90F129435; Mon, 17 Oct 2016 03:04:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gq0CNJ0A4RiQ; Mon, 17 Oct 2016 03:04:43 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 760591294EE; Mon, 17 Oct 2016 03:04:43 -0700 (PDT)
Received: by mail-qk0-x229.google.com with SMTP id f128so215898397qkb.1; Mon, 17 Oct 2016 03:04:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=bsYsCiDRG/Em9D5VaA+lcuBGZ12eD1H4WdcBTMUo9Ew=; b=qRFeu+2JRAIB2LjVpSuQw/souhNWBWLbe+QUTvKMcskuSwG5WExplMJp9aUMxSek4Q CNyA1/4qaJpbDJeORb0MRAXDr9wFYGYhTsjcPtfI3cWwIm1l3emyoxA36+GwP+dm5JhE xHZ4sjiem9kmONt0wk5WBwRWF4/QqHTiNoNWUNkG87XwtlrzJNJhx2vqV59yq7kM6jat o+qMZC9sBpIhL1NHbJdyIP6AQh5ixoJZ4FBSlH//Rsqy3/pJIuDcJVW7TVHrO4EBrO01 6Hb8leznJyYXKL2gMU21Tdv/pp2Kj1CzpGNF7w584sBW6rqH91J4dVpNzLaQ8oeQxW24 3wWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=bsYsCiDRG/Em9D5VaA+lcuBGZ12eD1H4WdcBTMUo9Ew=; b=VaBBZ9gbkTsoI5IUUotGjI14JApXEMA5RdhlMFtR9euFlTahf5xfII+rjwx7Vzwb+N fFOxUREmLetlEVgliIG+02pLcnvxis5DpYrdMv4mVky9B0AmSFKzZcd1288HjYJs3mas v5ECVGeBSkVRuxNYRRMq/0Wd4MACi01LS1E/3v1fjsQhWnL1M12oHW2pxd9Tf5PrN4hi VRU/SSZMaRhUEp+or1gbdl7qj7+cEWh1pno8iUv0Oxsy7ADG4GQzCbBnKjwvcr0x/lQq s0WoogBITqC825KVzgYYF19Ln81lgIwh7JtVGJH4OzgaWmLFs8D+5ZQ030bxzZgmPtzH dncQ==
X-Gm-Message-State: AA6/9RmgmRPBsuEHAGx1bUAH83ccPhD9hB+CZO8FoOJGut6atNJy9paPmCLsVfaQH7cBcKPH3uzxlBBHkL5Z0g==
X-Received: by 10.55.155.15 with SMTP id d15mr22437378qke.115.1476698681712; Mon, 17 Oct 2016 03:04:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.7 with HTTP; Mon, 17 Oct 2016 03:04:40 -0700 (PDT)
In-Reply-To: <77e09f1f-04de-7819-92ea-9e4609cd853d@cs.tcd.ie>
References: <CY1PR03MB238089D350CD6A78DB9E80BE83DF0@CY1PR03MB2380.namprd03.prod.outlook.com> <5816348f-015a-beca-a5e6-3883fff02aab@cs.tcd.ie> <CY1PR03MB2380AE2A057528E2B17FA0B083DF0@CY1PR03MB2380.namprd03.prod.outlook.com> <CY1PR03MB2380D52D2AA9CC7D60EA5FA883D00@CY1PR03MB2380.namprd03.prod.outlook.com> <77e09f1f-04de-7819-92ea-9e4609cd853d@cs.tcd.ie>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 17 Oct 2016 21:04:40 +1100
Message-ID: <CABkgnnUXDpd_raGe1ugJEM8aeR4=oh-fqT-raWe2+6ZAMd5uVQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/AVaO6ZcF0MoQ6q3etlbnAJKWkZQ>
Cc: Brian Raymor <Brian.Raymor@microsoft.com>, Shida Schubert <shida@ntt-at.com>, The IESG <iesg@ietf.org>, "draft-ietf-webpush-protocol@ietf.org" <draft-ietf-webpush-protocol@ietf.org>, "webpush-chairs@ietf.org" <webpush-chairs@ietf.org>, "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 10:04:45 -0000

On 17 October 2016 at 18:13, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> I think the MAY there is what got me into a confused state.
> Say if a UA knows to use port 1001 on example.net and just
> goes there, then the UA will treat the content as having the
> origin example.net:1001. If however the UA goes to example.net
> on port 443 first and then sees an alt-svc, then when it goes
> to port 1001 it'll treat the content as having origin just
> example.net.

Correct.  That is a good summary of how Alt-Svc interacts here.

> I guess that'll make a difference in how the UA
> handles pushed content.

Actually it won't because it doesn't treat the content it retrieves as
belonging to a particular origin.  The information that is received is
handled by the UA (not any application that resides in it, in the case
of a browser).

As a browser, with origins and all that business, we don't actually
treat content as subject to SOP until we've received the push message,
decrypted it, and actually handed it to the origin.  Because the
content we receive from a push service rightfully belongs to many
origins, we have to treat it specially.

The push service is aware of its role in this, so we don't need to ask
special permission to share either.  It did implement the protocol
after all.  Thus, the data we source there isn't treated as
cross-origin.

We do exactly the same for the geolocation API when we get a location
from a server.

(I could also explain how you can follow the crypto and see that the
data isn't cross-origin at all, but that would be just sophistry.)

Either way, I believe that what you are asking for rightfully belongs
in the API part, since we're trying to make the protocol pieces
ignorant of all that disgusting browser gunk.  Happy to add something
as editor of the API pieces, but not entirely sure what.  It's strange
because it's entirely too obvious to me to the point that I didn't
really know what you were on about, but then you are right that we
never actually write this stuff down.  Opened
https://github.com/w3c/push-api/issues/211

v2.23.0 | Report a Bug | By Email