From f1921ca607f7b9d1176a7b9230ea43f0dfebbf14 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Wed, 10 Sep 2025 12:00:15 +0200 Subject: [PATCH] Remove redundant requirements around permissions and secure contexts The security section shouldn't be a rehash of requirements already spelled out elsewhere (either directly or through dependencies). --- index.html | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/index.html b/index.html index fdeb221..281f36d 100644 --- a/index.html +++ b/index.html @@ -928,13 +928,6 @@

far as possible, and subject to meeting that goal, to protect the integrity of the application server's communication with the user.

-

- User agents MUST NOT provide Push API access to web applications without the - express permission of the user. User agents MUST acquire consent for - permission through a user interface for each call to the `subscribe()` method, unless a - previous permission grant has been persisted, or a prearranged trust relationship applies. - Permissions that are preserved beyond the current browsing session MUST be revocable. -

The Push API may have to wake up the Service Worker associated with the service worker registration in order to run the developer-provided event handlers. This can cause @@ -968,12 +961,6 @@

identifier that the user cannot remove. This also prevents reuse of the details of one push subscription to send push messages to another push subscription.

-

- User agents MUST implement the Push API to only be available in a [=secure - context=]. This provides better protection for the user against man-in-the-middle attacks - intended to obtain push subscription data. Browsers may ignore this rule for development - purposes only. -