Well, Mozilla is indeed focusing more
on WebPush rather than Simplepush. There are only a few products
that use SimplePush at the moment, and frankly, the feature set
for WebPush makes it far more interesting.
If I may, I'd suggest focusing on areas we've seen folks struggle
1) Data encryption -
Not terribly surprising, but folks have problems getting ECDH
encryption and header
publication right. I can only presume that folks that have
problems with this lead rich,
full lives surrounded by friends and loved ones and for some
inexplicable reason, don't
enjoy delving into frustrating bouts of brain melting math.
Giving these poor souls a way to easily bundle up data that
endpoints can decrypt so they
can continue their care-free lives of joy might be useful.
2) Subscriber management -
Somewhat in hand with the previous point, dealing with
subscribers using WebPush is
a fair bit more complicated than it would first seem.
Subscribers can have multiple endpoints
that may shift, or simply disappear in a puff of 410 smoke.
Plus, there's the encryption keys
that need to persist and be safe-guarded from compromise, and
all the fun that goes with
3) VAPID -
Mozilla currently uses VAPID to allow subscription providers a
way to voluntarily provide
info about themselves. The process involves a bit more
brain-tweaking ECDH crypto, and there
are some considerations that might escape the casual user
(Keep your VAPID key separate from
your publication keys; Keep your private VAPID key private;
Resubscribe your customers on key
VAPID is strongly favored for how subscriptions updates would
be authorized for other service
So, yeah, full plate. More than enough to scrape SimplePush off to
make room, and the nice bonus is that the new stuff isn't just for
one provider, and will make your library that much more
I've got a few resources to help folks get going on this:
WebPush Data Test Page, which is a stand alone page that encrypts
a data block and shows you as much as possible for key auditing. I
recommend opening the Browser Console, since I'm a bit verbose.
That page includes VAPID header support, but if you just wanted to
see that bit:
- VAPID test page,
which again is stand alone and can encode and decode VAPID header
accepting PRs for other languages (hint, hint).
I'm also working on a document that (hopefully) lays out the
various steps and considerations for App Servers / subscription
Does that make sense to y'all?
On 5/24/2016 11:45 PM, Matthias Wessendorf wrote: