Security/Reviews/SimplePush: Difference between revisions
(Created page with "{{SecReviewInfo |SecReview name=Simple Push API }} {{SecReview}} {{SecReviewActionStatus |SecReview action item status=None }}") |
No edit summary |
||
| Line 1: | Line 1: | ||
{{SecReviewInfo | {{SecReviewInfo | ||
|SecReview name=Simple Push API | |SecReview name=Simple Push API | ||
|SecReview target=https://wiki.mozilla.org/WebAPI/SimplePush | |||
}} | |||
{{SecReview | |||
|SecReview feature goal=Background is here: https://wiki.mozilla.org/WebAPI/SimplePush | |||
Push Notifications - currently on designed for B2G | |||
Will be implemented on desktop, but this is specified yet. | |||
Found it: https://etherpad.mozilla.org/n1f1znLCQh | |||
===Registration Flow=== | |||
1. User Agent sends "push-register" message to app | |||
Sorry the documentation is not clear on that, will fix. push-register is only sent sometimes and is a recovery mechanism. Ideally applications call mozPushNotification.register() whenever they want | |||
2. In the handler for push-register, the app calls navigator.pushNotifications.register() once for each topic it wants to listen for. | |||
3. register() causes the user-agent to request a new unique channel identifier for the app by requesting a new channelID from the Push Server. The User Agent generates the GUID4 and asks the push server if it is available. | |||
4. Upon recieving the pushEndpoint and channelID from the Push Server, the user-agent returns the pushEndpoint to the app, which represents the URL which will recieve notifications for this channel. | |||
5. The app sends this URL to its App Server, to let it know that it is listening to push requests sent to this URL | |||
===Sending a message=== | |||
1. App Server posts a message to the Push Notification URL containing a version string | |||
2. The version of this channelID is stored on the PushServer | |||
3. The user-agent calls /v1/update to retrieve a list of all registered all channels and all known versions (for this particular user-agent-id) | |||
}} | }} | ||
{{SecReviewActionStatus | {{SecReviewActionStatus | ||
|SecReview action item status=None | |SecReview action item status=None | ||
}} | }} | ||
Revision as of 21:31, 13 February 2013
Item Reviewed
| Simple Push API | |
| Target | https://wiki.mozilla.org/WebAPI/SimplePush |
{{#set:SecReview name=Simple Push API |SecReview target=https://wiki.mozilla.org/WebAPI/SimplePush }}
Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
Background is here: https://wiki.mozilla.org/WebAPI/SimplePush Push Notifications - currently on designed for B2G Will be implemented on desktop, but this is specified yet. Found it: https://etherpad.mozilla.org/n1f1znLCQh
Registration Flow
1. User Agent sends "push-register" message to app Sorry the documentation is not clear on that, will fix. push-register is only sent sometimes and is a recovery mechanism. Ideally applications call mozPushNotification.register() whenever they want 2. In the handler for push-register, the app calls navigator.pushNotifications.register() once for each topic it wants to listen for. 3. register() causes the user-agent to request a new unique channel identifier for the app by requesting a new channelID from the Push Server. The User Agent generates the GUID4 and asks the push server if it is available. 4. Upon recieving the pushEndpoint and channelID from the Push Server, the user-agent returns the pushEndpoint to the app, which represents the URL which will recieve notifications for this channel. 5. The app sends this URL to its App Server, to let it know that it is listening to push requests sent to this URL
Sending a message
1. App Server posts a message to the Push Notification URL containing a version string 2. The version of this channelID is stored on the PushServer 3. The user-agent calls /v1/update to retrieve a list of all registered all channels and all known versions (for this particular user-agent-id)
What solutions/approaches were considered other than the proposed solution?
`
Why was this solution chosen?
`
Any security threats already considered in the design and why?
`
Threat Brainstorming
' {{#set: SecReview feature goal=Background is here: https://wiki.mozilla.org/WebAPI/SimplePush Push Notifications - currently on designed for B2G Will be implemented on desktop, but this is specified yet. Found it: https://etherpad.mozilla.org/n1f1znLCQh
Registration Flow
1. User Agent sends "push-register" message to app Sorry the documentation is not clear on that, will fix. push-register is only sent sometimes and is a recovery mechanism. Ideally applications call mozPushNotification.register() whenever they want 2. In the handler for push-register, the app calls navigator.pushNotifications.register() once for each topic it wants to listen for. 3. register() causes the user-agent to request a new unique channel identifier for the app by requesting a new channelID from the Push Server. The User Agent generates the GUID4 and asks the push server if it is available. 4. Upon recieving the pushEndpoint and channelID from the Push Server, the user-agent returns the pushEndpoint to the app, which represents the URL which will recieve notifications for this channel. 5. The app sends this URL to its App Server, to let it know that it is listening to push requests sent to this URL
Sending a message
1. App Server posts a message to the Push Notification URL containing a version string 2. The version of this channelID is stored on the PushServer 3. The user-agent calls /v1/update to retrieve a list of all registered all channels and all known versions (for this particular user-agent-id) |SecReview alt solutions=' |SecReview solution chosen=' |SecReview threats considered=' |SecReview threat brainstorming=' }}
Action Items
| Action Item Status | None |
| Release Target | ` |
| Action Items | |
| ' | |
{{#set:|SecReview action item status=None
|Feature version=` |SecReview action items=` }}