Add whitelist for valid browser push service hosts about web-push HOT 9 CLOSED

In theory, one might want to run their push service. We could:

• print a warning when an unknown push service is used;
• add a parameter to sendNotification to block unknown push services.

from web-push.

In theory, one might want to run their push service.

If I understand you correctly, it's impossible to get a browser to subscribe to your own push service. PushManager.subscribe() internally calls the browser vendor's own private push service and you have no way of changing that.

from web-push.

In Firefox you can change it by setting some internal preferences. If you are a big organization who wants to have a private push service, you could do that.

from web-push.

Oh interesting. I'll pray for any org who goes down that path :)

from web-push.

It's not too complex, you "just" need to use an open source Web Push server like https://github.com/mozilla-services/autopush-rs/ and deploy it somewhere :)

from web-push.

This just adds an unnecessary time bomb to the library if any of the vendors decide to change their push service domain, or if any new vendors start to run their own services. If someone is this paranoid about security, it's better to whitelist it on the DNS layer.

from web-push.

Agreed!

from web-push.

Ok I understand the hesitation because things can and do change and you don't want to burden the library with that maintenance. To be fair, there's no "paranoia" here. Attacks have and will happen, like android.chromlum.info which was a malicious web push endpoint.

There's not a lot of good resources to help guard against this, perhaps this lib could simply add some info/resources in its docs?

from web-push.

I would accept a PR to do one or both of the things in #801 (comment).

from web-push.