You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content.mkd
+24-8Lines changed: 24 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -223,7 +223,7 @@ A "property update" occurs when the WebDAV properties of the subscribed resource
223
223
- only in property updates of the subscribed resource and its internal members (depth: `1`), or
224
224
- in property updates of the subscribed resource and its members (depth: `infinity`).
225
225
226
-
If the subscribed resource doesn't support the content update trigger with the requested depth, the server MUST fall back to the lowest supported value instead. If the content update trigger isn't supported for the subscribed resource at all, it MUST be ignored.
226
+
If the subscribed resource doesn't support the property update trigger with the requested depth, the server MUST fall back to the lowest supported value instead. If the property update trigger isn't supported for the subscribed resource at all, it MUST be ignored.
227
227
228
228
In case the depth is `infinity`, the limitations described in {{Section 3.3 of RFC6578}} apply: notifications about changes in members which are not supported by the `DAV:sync-collection` report may not be sent.
229
229
@@ -324,7 +324,7 @@ In case of the Web Push transport, this happens over a `POST` request to the sub
324
324
325
325
The push message body consists of a `push-message` element, which contains information about the affected resource:
326
326
327
-
- a `topic` element with the push topic,
327
+
- a `topic` element with the push topic (except for VAPID key rotation messages, see {{vapid-key-rotation}}),
328
328
- a `content-update` element in case of a content update, and/or
329
329
- a `property-update` element in case of a property update.
330
330
@@ -472,7 +472,7 @@ Corresponding terminology:
472
472
* (WebDAV-Push) push server ↔ (Web Push) application server
473
473
* (WebDAV-Push) push client ↔ (Web Push) user agent
474
474
475
-
Message encryption ({{message-encryption}}) MUST be used. VAPID ({{vapid}}) SHOULD be used. (If other methods to provide a security context for Web Push become established, those can be used and necessary WebDAV properties shall be added to this document.)
475
+
Message encryption ({{message-encryption}}) MUST be used. VAPID(((VAPID))) ({{vapid}}) SHOULD be used. (If other methods to provide a security context for Web Push become established, those can be used and necessary WebDAV properties shall be added to this document.)
476
476
477
477
A server that supports the Web Push transport MUST list the `web-push` element in the `transports` property.
478
478
@@ -510,17 +510,33 @@ It contains exactly one `push-resource` element, which specifies the absolute UR
510
510
A Web Push subscription is uniquely identified by its push resource.
511
511
512
512
513
-
## VAPID {#vapid}
513
+
## VAPID(((VAPID))) {#vapid}
514
514
515
-
VAPID {{RFC8292}} binds push subscriptions to the specific WebDAV-Push server.
515
+
VAPID {{RFC8292}} binds push subscriptions to a specific WebDAV-Push server.
516
516
517
517
A WebDAV-Push server that supports VAPID stores a key pair. It exposes an additional transport property `vapid-public-key` within the `web-push` element, which contains the VAPID public key in uncompressed form and base64url encoded. The attribute `type="p256ecdsa"` MUST be added to allow different key types in the future. See {{push-properties}} for an example.
518
518
519
-
If available, the client MUST use this key to create a restricted subscription at the push service, except when it knows that the push service doesn't support VAPID.
519
+
If the server provides a VAPID public key, the client MUST use that key to create a restricted subscription at the push service (except when the used push service doesn't support VAPID).
520
520
521
-
A client can expect the VAPID public key to be the same for all resources on the server. However the VAPID public key can still sometimes change (for instance when the server or user data is moved to another machine). In that case a client has to create new restricted subscriptions because the old ones won't work anymore.
521
+
A client can expect the VAPID public key to be the same for all resources on the server.
522
522
523
-
When the server provides a VAPID public key, it MUST include a corresponding `Authorization` header when sending a push message in order to prove its identity to the push service.
523
+
When the server provides a VAPID public key, it MUST include a corresponding `Authorization: vapid` header when sending a push message to prove its identity to the push service.
524
+
525
+
### Key Rotation {#vapid-key-rotation}
526
+
527
+
The VAPID public key can sometimes change, either intentionally (key rotation) or for instance when the server or user data is moved to another machine. When the VAPID key has changed, a client has to create new restricted subscriptions because the old ones won't work anymore (they're bound to the old VAPID key).
528
+
529
+
When a server that changes its VAPID key is able to notify clients with the old VAPID key before switching, it SHOULD send a `property-update` push message without `topic`, with zero `depth` and with the `transports` property to every distinct subscription.
530
+
531
+
A client that receives a `property-update` push message with the `transport` property MUST assume that the last known VAPID key isn't valid anymore. So in order to restore Push functionality, it has to query the new VAPID key, create a new subscription and register it again.
532
+
533
+
However because it's possible that the VAPID key changes without possibility to notify the clients with the old key, so a client SHOULD regularly check the VAPID key.
0 commit comments