Nice docs by @fugueish on service worker security considerations: https://sites.google.com/a/chromium.org/dev/Home/chromium-security/security-faq/service-worker-security-faq …
Users explicitly opt-in to per-site notification permissions here. Nothing is implicit.
-
-
They consent to notifications, not to persistent background code execution, as I stated. There's also no ongoing consent to it like apps.
-
What is the delta in "ongoing consent"? If users tap into the "site settings" link on every push, they can remove push.
End of conversation
New conversation -
-
-
And what does signing buy? We can kill-switch bad push senders just as (or more) easily.
-
Yeah, not buying that. Google claims to police GCM too. Don't believe in the enumerating badness and IDS fluff.
- 5 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.