IETF Logo Mail Archive

Re: [Webpush] Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 17 October 2016 14:40 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: webpush@ietfa.amsl.com
Delivered-To: webpush@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27106129416; Mon, 17 Oct 2016 07:40:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.732
X-Spam-Level:
X-Spam-Status: No, score=-4.732 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zGhylOsBAG_R; Mon, 17 Oct 2016 07:40:25 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9D531295EF; Mon, 17 Oct 2016 07:40:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6F805BE3E; Mon, 17 Oct 2016 15:40:21 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HWApJfn-EaHL; Mon, 17 Oct 2016 15:40:21 +0100 (IST)
Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id CFD15BE2F; Mon, 17 Oct 2016 15:40:20 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476715221; bh=0NQ19/0dLf6m4n1eQUYj0DHRrbni4KCi8/yfE8xpOyM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=PQqfkUBTnpYPbFDCbx8qyxJatTvkagSf1ep9FVOChBN7ZTIzGhNX0uHk+xW/0i5aO 5i6mXDAVqbEZ3w5z9Gbl1TR0KY0eUWsb710QqspBr3/SxZRv76RuW77G1TEXCIyJy0 seAsXCFUmYke6tjRVzZM5yoEYlKYfbeUg/MGi+2Y=
To: Martin Thomson <martin.thomson@gmail.com>
References: <CY1PR03MB238089D350CD6A78DB9E80BE83DF0@CY1PR03MB2380.namprd03.prod.outlook.com> <5816348f-015a-beca-a5e6-3883fff02aab@cs.tcd.ie> <CY1PR03MB2380AE2A057528E2B17FA0B083DF0@CY1PR03MB2380.namprd03.prod.outlook.com> <CY1PR03MB2380D52D2AA9CC7D60EA5FA883D00@CY1PR03MB2380.namprd03.prod.outlook.com> <77e09f1f-04de-7819-92ea-9e4609cd853d@cs.tcd.ie> <CABkgnnUXDpd_raGe1ugJEM8aeR4=oh-fqT-raWe2+6ZAMd5uVQ@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56cca9c2-22a7-10bf-6d3a-cde3b82db9dc@cs.tcd.ie>
Date: Mon, 17 Oct 2016 15:40:21 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnUXDpd_raGe1ugJEM8aeR4=oh-fqT-raWe2+6ZAMd5uVQ@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060805030707090409070509"
Archived-At: <https://mailarchive.ietf.org/arch/msg/webpush/hk58baQf9pgIiatOC0yDa6oWCm0>
Cc: Brian Raymor <Brian.Raymor@microsoft.com>, Shida Schubert <shida@ntt-at.com>, The IESG <iesg@ietf.org>, "draft-ietf-webpush-protocol@ietf.org" <draft-ietf-webpush-protocol@ietf.org>, "webpush-chairs@ietf.org" <webpush-chairs@ietf.org>, "webpush@ietf.org" <webpush@ietf.org>
Subject: Re: [Webpush] Stephen Farrell's Discuss on draft-ietf-webpush-protocol-11: (with DISCUSS and COMMENT)
X-BeenThere: webpush@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <webpush.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/webpush>, <mailto:webpush-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/webpush/>
List-Post: <mailto:webpush@ietf.org>
List-Help: <mailto:webpush-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/webpush>, <mailto:webpush-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 14:40:28 -0000

Hiya,

On 17/10/16 11:04, Martin Thomson wrote:
> On 17 October 2016 at 18:13, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
>> I think the MAY there is what got me into a confused state.
>> Say if a UA knows to use port 1001 on example.net and just
>> goes there, then the UA will treat the content as having the
>> origin example.net:1001. If however the UA goes to example.net
>> on port 443 first and then sees an alt-svc, then when it goes
>> to port 1001 it'll treat the content as having origin just
>> example.net.
> 
> Correct.  That is a good summary of how Alt-Svc interacts here.
> 
>> I guess that'll make a difference in how the UA
>> handles pushed content.
> 
> Actually it won't because it doesn't treat the content it retrieves as
> belonging to a particular origin.  The information that is received is
> handled by the UA (not any application that resides in it, in the case
> of a browser).
> 
> As a browser, with origins and all that business, we don't actually
> treat content as subject to SOP until we've received the push message,
> decrypted it, and actually handed it to the origin.  Because the
> content we receive from a push service rightfully belongs to many
> origins, we have to treat it specially.

Saying that would've definitely helped me understand
what's going on. Does something need to be stated in
this draft? Or is it safe enough to assume that the
reader will also look at the API and encryption drafts,
and that people won't come up with other ways to handle
pushed messages that don't support good ways to
enforce the SOP?

Cheers,
S.

> 
> The push service is aware of its role in this, so we don't need to ask
> special permission to share either.  It did implement the protocol
> after all.  Thus, the data we source there isn't treated as
> cross-origin.
> 
> We do exactly the same for the geolocation API when we get a location
> from a server.
> 
> (I could also explain how you can follow the crypto and see that the
> data isn't cross-origin at all, but that would be just sophistry.)
> 
> Either way, I believe that what you are asking for rightfully belongs
> in the API part, since we're trying to make the protocol pieces
> ignorant of all that disgusting browser gunk.  Happy to add something
> as editor of the API pieces, but not entirely sure what.  It's strange
> because it's entirely too obvious to me to the point that I didn't
> really know what you were on about, but then you are right that we
> never actually write this stuff down.  Opened
> https://github.com/w3c/push-api/issues/211
>

v2.23.0 | Report a Bug | By Email