CloudServices/Notifications/Push/Security: Difference between revisions
(Created page with "Push notifications are a way for websites to send lightweight messages to users when the user is not on the site. They will be similar to push notifications for iOS or Android de...") |
|||
| Line 35: | Line 35: | ||
== Security Considerations == | == Security Considerations == | ||
A mailbox URL is an opaque random string that lets a domain send messages to a <b>Device</b>. | |||
=== | === App (Server) trust === | ||
* | * Authentication: provision an API key for the app which must be sent with all requests | ||
* Authorization: match the API key to the expected mailbox domain | |||
=== | === Device trust === | ||
* | * Authentication: provision a device token the first time we need to set up a mailbox | ||
* Authorization: only display messages for mailboxes matching the token | |||
=== Spoofing === | |||
* Include origin domain when displaying messages | |||
* Enforce same-origin policy for action URLs | |||
=== Message Encryption === | |||
TODO | |||
== Prior Art == | == Prior Art == | ||
Revision as of 23:47, 1 December 2011
Push notifications are a way for websites to send lightweight messages to users when the user is not on the site. They will be similar to push notifications for iOS or Android devices.
Apps will send messages to a backend Mozilla service, which will queue messages until a user comes online. A user can have many devices; her queues will be synced between devices.
Players
- Device: Firefox running on a desktop or phone; a user can have multiple devices
- Push Service: Mozilla servers managing notification queues
- App (Server): Third-party application backend sending notifications to a user
- App (Client): Third-party website requesting notification permissions
The API
An App (Client) requests permission to use push notifications:
navigator.notifications.requestPermission(callback)
If the user accepts, the Device runs callback with a URL pointing to a queue on the Push Service. The App (Client) is responsible for sending the queue URL to the App (Server) for future notifications.
The Device is responsible for creating a queue:
POST push.mozilla.org/queue
It returns a unique URL for an App (Server) to talk to a Device.
The App (Server) sends messages to the queue:
POST push.mozilla.org/queue/<queue> <message>
The Device pulls messages from the queue and displays them for the user:
GET push.mozilla.org/queue/<queue>
Security Considerations
A mailbox URL is an opaque random string that lets a domain send messages to a Device.
App (Server) trust
- Authentication: provision an API key for the app which must be sent with all requests
- Authorization: match the API key to the expected mailbox domain
Device trust
- Authentication: provision a device token the first time we need to set up a mailbox
- Authorization: only display messages for mailboxes matching the token
Spoofing
- Include origin domain when displaying messages
- Enforce same-origin policy for action URLs
Message Encryption
TODO
Prior Art
Apple
- Push Notification Service
- Security Architecture
- Devices send a device certificate to the Push Service
- App (Server)s send a provider certificate (provisioned by Apple) to the Push Service
Android
- Google Cloud-to-Device API
- Devices are authenticated by the user's Google credentials.
- App (Server)s store a RegistrationID (for the app) and a ClientLogin token (for the user) and must include both when sending messages.
Urban Airship
- Urban Airship Authentication
- App Servers send an ApplicationKey: Secret (provided by UA) pair to the Push Service