You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content.mkd
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -453,13 +453,15 @@ A Web Push subscription is uniquely identified by its push resource.
453
453
454
454
## VAPID {#vapid}
455
455
456
-
VAPID binds push subscriptions to the specific WebDAV-Push server.
456
+
VAPID {{RFC8292}} binds push subscriptions to the specific WebDAV-Push server.
457
457
458
-
A WebDAV-Push server which supports VAPID stores a key pair. The server exposes an additional transport property `vapid-public-key`(within the `web-push` element), which contains the VAPID public key in uncompressed form and base64url encoded. Its attribute `type="p256ecdsa"` MUST be added to allow different key types in the future. See {{push-properties}} for an example.
458
+
A WebDAV-Push server that supports VAPID stores a key pair. It exposes an additional transport property `vapid-public-key` within the `web-push` element, which contains the VAPID public key in uncompressed form and base64url encoded. The attribute `type="p256ecdsa"` MUST be added to allow different key types in the future. See {{push-properties}} for an example.
459
459
460
460
If available, the client MUST use this key to create a restricted subscription at the push service, except when it knows that the push service doesn't support VAPID.
461
461
462
-
A client can expect the VAPID public key to be the same for all resources on the server. When the server provides a VAPID public key, it MUST include a corresponding `Authorization` header when sending a push message in order to prove its identity to the push service.
462
+
A client can expect the VAPID public key to be the same for all resources on the server. However the VAPID public key can still sometimes change (for instance when the server or user data is moved to another machine). In that case a client has to create new restricted subscriptions because the old ones won't work anymore.
463
+
464
+
When the server provides a VAPID public key, it MUST include a corresponding `Authorization` header when sending a push message in order to prove its identity to the push service.
463
465
464
466
465
467
## Message Encryption {#message-encryption}
@@ -469,7 +471,7 @@ Message encryption hides details of push messages from the push services. Before
469
471
When the client then registers this subscription at the server, it MUST include these subscription properties:
470
472
471
473
*`content-encoding` – how the encrypted content is encoded; currently only `aes128gcm` is supported
472
-
*`client-public-key` – public key of the user agent's key pair in uncompressed form and base64url encoded; attribute `type="p256dh"` MUST be added to allow different key types in the future
474
+
*`subscription-public-key` – public key of the user agent's key pair in uncompressed form and base64url encoded; attribute `type="p256dh"` MUST be added to allow different key types in the future
473
475
*`auth-secret` – authentication secret
474
476
475
477
These properties are bound to the subscription (which is identified by the push resource). A server doesn't need to store these properties for every registration, but only once for the subscription.
0 commit comments