ThePush API enables sending of apush message to a web application via apush service. Anapplication server can send apush message at any time, even when a web application oruser agent is inactive. Thepush service ensures reliable and efficient delivery to theuser agent.Push messages are delivered to aService Worker that runs in the origin of the web application, which can use the information in the message to update local state or display a notification to the user.
Publication as a Working Draft does not imply endorsement byW3C and its Members.
This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
The Push API allows a web application to communicate with auser agent asynchronously. This allows anapplication server to provide theuser agent with time-sensitive information whenever that information becomes known, rather than waiting for a user to open the web application.
In particular, apush message will be delivered to the web application even if that web application is not currently active in a browser window: this relates to use cases in which the user may close the web application, but still benefits from the web application being able to be restarted when apush message is received. For example, apush message might be used to inform the user of an incoming WebRTC call.
Apush message can also be sent when theuser agent is temporarily offline. In support of this, thepush service stores messages for theuser agent until theuser agent becomes available. This supports use cases where a web application learns of changes that occur while a user is offline and ensures that theuser agent can be provided with relevant information in a timely fashion.Push messages are stored by thepush service until theuser agent becomes reachable and the message can be delivered.
The Push API will also ensure reliable delivery of push messages while auser agent is actively using a web application, for instance if a user is actively using the web application or the web application is in active communication with anapplication server through an active worker, frame, or background window. This is not the primary use case for the Push API. A web application might choose to use the Push API for infrequent messages to avoid having to maintain constant communications with theapplication server.
Push messaging is best suited to occasions where there is not already an active communications channel established between theuser agent and the web application. Sendingpush messages requires considerably more resources when compared with more direct methods of communication such as theFetch API or [WebSockets].Push messages usually have higher latency than direct communications and they can also be subject to restrictions on use. Mostpush services limit the size and quantity ofpush messages that can be sent.
2. Dependencies
Theweb push protocol [RFC8030] describes a protocol that enables communication between auser agent orapplication server and apush service. Alternative protocols could be used in place of this protocol, but this specification assumes the use of this protocol; alternative protocols are expected to provide compatible semantics.
TheContent-Encoding HTTP header, described in Section 3.1.2.2 of [RFC7231], indicates the content coding applied to the payload of apush message.
3. Concepts
3.1 Application server
The termapplication server refers to server-side components of a web application.
3.2 Push message
Apush message is data sent to a web application from anapplication server.
Apush message is delivered to theactive worker associated with thepush subscription to which the message was submitted. If the service worker is not currently running, the worker is started to enable delivery.
Apush subscriptionMAY have an associatedsubscription expiration time. When set, itMUST be the time, in milliseconds since 00:00:00 UTC on 1 January 1970, at which the subscription will bedeactivated. Theuser agentSHOULD attempt torefresh the push subscription before the subscription expires.
Apush subscription has internal slots for a P-256ECDH key pair and an authentication secret in accordance with [RFC8291]. These slotsMUST be populated when creating thepush subscription.
Letoptions be a newly createdPushSubscriptionOptions object, initializing its attributes with the corresponding members and values ofoptionsDictionary.
Generate a new P-256ECDH key pair [ANSI-X9-62]. Store the private key in an internal slot onsubscription; this valueMUST NOT be made available to applications. The public key is also stored in an internal slot and can be retrieved by calling thegetKey() method of thePushSubscription with an argument of "p256dh".
Generate a new authentication secret, which is a sequence of octets as defined in [RFC8291]. Store the authentication secret in an internal slot onsubscription. This key can be retrieved by calling thegetKey() method of thePushSubscription with an argument of "auth".
Theuser agent connects to thepush service used to createpush subscriptions.User agentsMAY limit the choice ofpush services available. Reasons for doing so include performance-related concerns such as service availability (including whether services are blocked by firewalls in specific countries, or networks at workplaces and the like), reliability, impact on battery lifetime, and agreements to steer metadata to, or away from, specificpush services.
The contents of apush message are encrypted [RFC8291]. However, thepush service is still exposed to the metadata of messages sent by anapplication server to auser agent over apush subscription. This includes the timing, frequency and size of messages. Other than changingpush services, which user agents may disallow, the only known mitigation is to increase the apparent message size by padding.
The following requirements are intended to protect the privacy and security of the user as far as possible, and subject to meeting that goal, to protect the integrity of theapplication server's communication with the user.
User agentsMUST NOT provide Push API access to web applications without theexpress permission of the user.User agentsMUST acquire consent for permission through a user interface for each call to thesubscribe() method, unless a previous permission grant has been persisted, or a prearranged trust relationship applies. Permissions that are preserved beyond the current browsing sessionMUST be revocable.
The Push API may have to wake up the Service Worker associated with theservice worker registration in order to run the developer-provided event handlers. This can cause resource usage, such as network traffic, that theuser agentSHOULD attribute to the web application that created thepush subscription.
Thepush endpointMUST NOT expose information about the user to be derived by actors other than thepush service, such as the user's device, identity or location. See the Privacy Considerations in [RFC8030] for the exact requirements.
User agentsMUST implement the Push API to only be available in asecure context. This provides better protection for the user against man-in-the-middle attacks intended to obtain push subscription data. Browsers may ignore this rule for development purposes only.
This overall framework allowsapplication servers to activate aService Worker in response to events at theapplication server. Information about those events can be included in thepush message, which allows the web application to react appropriately to those events, potentially without needing to initiate network requests.
The following code and diagram illustrate a hypothetical use of the push API.
// https://example.com/serviceworker.jsthis.onpush =event => {console.log(event.data);// From here we can write the data to IndexedDB, send it to any open// windows, display a notification, etc.}// https://example.com/webapp.js// inside an async function...try {const serviceWorkerRegistration =await navigator.serviceWorker.register("serviceworker.js" );const pushSubscription =await serviceWorkerRegistration.pushManager.subscribe();// The push subscription details needed by the application// server are now available, and can be sent to it using,// for example, an XMLHttpRequest.console.log(pushSubscription.endpoint);console.log(pushSubscription.getKey("p256dh"));console.log(pushSubscription.getKey("auth"));}catch (err) {// In a production environment it might make sense to// also report information about errors back to the// application server.console.log(error);}
5.2 Sequence diagram
This section is non-normative.
Figure1 Example flow of events for subscription, push message delivery, and unsubscription
ThegetKey() method on aPushSubscription is used to retrieve keying material used to encrypt and authenticatepush messages. Each invocation of the function returns a newArrayBuffer that contains the value of the corresponding key, ornull if the identified key doesn't exist. Passing a value of "p256dh" retrieves aelliptic curve Diffie-Hellman (ECDH) public key associated with thepush subscription. Passing a value ofauth returns an authentication secret that an application server uses in authentication of its messages. These keys are used by theapplication server to encrypt and authenticate messages for thepush subscription, as described in [RFC8291].
6. Extensions to theServiceWorkerRegistration Interface
ThesupportedContentEncodings attribute exposes the sequence of supported content codings that can be used to encrypt the payload of apush message. A content coding is indicated using theContent-Encoding header field when requesting the sending of apush message from thepush service.
User agentsMUST support theaes128gcm content coding defined in [RFC8291], andMAY support content codings defined in previous versions of the draft for compatibility reasons.
7.1subscribe() method
Thesubscribe() method when invokedMUST run the following steps:
Compare theoptions argument with theoptions attribute ofsubscription. The contents ofBufferSource values are compared for equality rather thanreference.
Permission to use the push service can be persistent, that is, it does not need to be reconfirmed for subsequent subscriptions if a valid permission exists.
If there is a need to ask for permission, it needs to be done by invoking thesubscribe() method.
TheuserVisibleOnly attribute, when getting, returns the value it was initialized with.
TheapplicationServerKey attribute, when getting, returns the value it was initialized with.
If present, the value ofapplicationServerKeyMUST include a point on the P-256 elliptic curve [DSS], encoded in the uncompressed form described in [ANSI-X9-62] Annex A (that is, 65 octets, starting with an 0x04 octet). When provided as aDOMString, the valueMUST be encoded using the base64url encoding [RFC7515].
User agentsMAY reject a subscription attempt whenapplicationServerKey is not present and thepush service requires one for operational reasons.
TheuserVisibleOnly member, when set totrue, indicates that thepush subscription will only be used forpush messages whose effect is made visible to the user, for example by displaying a Web Notification. [NOTIFICATIONS]
Whengetting theendpoint attribute, theuser agentMUST return thepush endpoint associated with thepush subscription. Theuser agentMUST use a serialization method that does not contain input-dependent branches (that is, one that is constant time).
ThegetKey() method retrieves keying material that can be used for encrypting and authenticating messages. WhengetKey() is invoked the following process is followed:
Find the internal slot corresponding to the key named by thename argument.
If a slot was not found, returnnull.
Initialize a variablekey with a newly instantiatedArrayBuffer instance.
If the internal slot contains an asymmetric key pair, set the contents ofkey to the serialized value of the public key from the key pair. This uses the serialization format described in the specification that defines the name. For example, [RFC8291] specifies that the "p256dh" public key is encoded using the uncompressed format defined in [ANSI-X9-62] Annex A (that is, a 65 octet sequence that starts with a 0x04 octet).
Otherwise, if the internal slot contains a symmetric key, set the contents ofkey to a copy of the value from the internal slot. For example, theauth parameter contains an octet sequence used by theuser agent to authenticate messages sent by anapplication server.
Returnkey.
Keys named "p256dh" and "auth"MUST be supported, and their valuesMUST correspond to those necessary for the user agent to decrypt received push messages in accordance with [RFC8291].
Theunsubscribe() method when invokedMUST run the following steps:
Letkeys be a new empty instance ofrecord<DOMString, USVString> .
For each identifieri corresponding to keys in internal slots on thePushSubscription, ordered by the name of the key:
If the internal slot corresponds to an asymmetric key pair, letb be the encoded value of the public key corresponding to the key namei, using the encoding defined for the key name (seegetKey()).
Otherwise, letb be the value as returned bygetKey.
Lets be the URL-safe base64 encoding without padding [RFC4648] ofb as aUSVString. Theuser agentMUST use a serialization method that does not branch based on the value ofb.
Setkeys[i] tos.
Setjson["keys"] tokeys.
Returnjson.
APushSubscriptionJSON dictionary represents theJSON type of aPushSubscription. In ECMAScript this can be converted into a JSON string through theJSON.stringify() function.
Thekeys record contains an entry for each of the supportedPushEncryptionKeyName entries to the URL-safe base64 encoded representation [RFC4648] of its value.
Encryption keys used forpush message encryption are provided to a web application through thegetKey() method or the serializer ofPushSubscription. Each key is named using a value from thePushEncryptionKeyName enumeration.
ThearrayBuffer() method steps are to return anArrayBuffer whose contents arethis'sbytes. Exceptions thrown during the creation of theArrayBuffer object are re-thrown.
Theblob() method steps are to return a newBlob object whose contents arethis'sbytes.
Thebytes() method steps are to return a newUint8Array backed by aArrayBuffer whose contents arethis'sbytes. Exceptions thrown during the creation of theArrayBuffer object are re-thrown.
When aconstructor of thePushEvent interface, or of an interface that inherits from thePushEvent interface, is invoked, the usualevent constructing steps are extended to include the following steps:
IfeventInitDict'sdata member is not present, set thedata attribute of the event tonull and terminate these steps.
Thedata member contains the data included in thepush message when included and theuser agent verified its authenticity. The value will be set tonull in all other cases.
Decrypt thepush message payload using the private key from the key pair associated withsubscription and the process described in [RFC8291]. Setbytes to the resultingbyte sequence.
If thepush message payload could not be decrypted for any reason:
Acknowledge the receipt of thepush message according to [RFC8030]. Though the message was not successfully received and processed, this prevents the push service from attempting to retransmit the message; a badly encrypted message is not recoverable.
Abort these steps.
Note
Apush event will not be fired for apush message that was not successfully decrypted using the key pair associated with thepush subscription.
Acknowledging also means that anapplication server could incorrectly receive a delivery receipt indicating successful delivery of thepush message. Therefore, multiple rejectionsSHOULD be permitted before acknowledging; allowing at least three attempts is recommended.
10.5 Thepushsubscriptionchange Event
Thepushsubscriptionchange event indicates a change in apush subscription that was triggered outside of the application's control, for example because it has been refreshed, revoked or lost.
Consider using a more reliable synchronization mechanism such as [WEB-BACKGROUND-SYNC] when sending the details of the newpush subscription to yourapplication server. The user might be subject to unreliable network conditions that could cause a fetch to fail.
TheoldSubscription member details thepush subscription thatSHOULD NOT be used anymore. The value will benull when theuser agent is not able to provide the full set of details, for example because of partial database corruption.
11. Accessibility
ThePush API does not provide any means itself to present data it receives from apush service. Instead, thePush API relies on other APIs – primarily theNotifications API Standard – to present received information to an end user. As such, there are no accessibility requirements for thePush API itself. However, specifications such as [NOTIFICATIONS] provide guidance how to present notifications in an accessible manner.
Further, presenting an accessible interface might depend on transferring more information than a push message can convey. Push messages are best suited to carrying small amounts of content or identifiers. Any larger resources need to be fetched from servers.
12.Conformance
As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.
The key wordsMAY,MUST,MUST NOT,SHOULD, andSHOULD NOT in this document are to be interpreted as described inBCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
This specification defines conformance criteria that apply to a single product: theuser agent that implements the interfaces that it contains.
The editors would like to express their gratitude to the Mozilla and Telefónica Digital teams implementing the Firefox OS Push message solution, as well as to the following people who provided significant technical input to this document: Antonio Amaya, Miguel García Arribas, Ben Bangert, Kit Cambridge, José Manuel Cantera, JR Conlin, Albert Crespell, Matt Gaunt, Phil Jenvey, Guillermo López, Nikhil Marathe, John Mellor, Pınar Özlen, Fernando R. Sela, Shijun Sun and Doug Turner.
