Add whitelist for valid browser push service hosts

Question

Add whitelist for valid browser push service hosts

jfbrennan opened this issue a year ago · comments

Doesn't look like web-push whitelists the known list of valid browser push services. Is this on purpose?

The list is short and documented by each vendor. AFAIK there are zero hosts other than the ones from browsers that web-push should ever attempt to send messages to. There is apparently a android.chromlum.info (note the L) malware service and if clients were compromised could potentially send messages to that service.

The list is, from what I've been able to gather, just this:

Browser	Service name	Host
Safari	Apple Push Notification Service or APNS	*.push.apple.com
Chrome, Brave, Opera	Google Firebase Cloud Messaging or FCM	fcm.googleapis.com, android.googleapis.com
Edge	Windows Push Notification Services	*.notify.windows.com
Firefox	Mozilla autopush	updates.push.services.mozilla.com (plus other non-prod envs)

Marco Castelluccio commented a year ago

Agreed!

Marco Castelluccio · Answer 1 · Tue May 09 2023 18:05:59 GMT+0800 (China Standard Time)

In theory, one might want to run their push service. We could:

print a warning when an unknown push service is used;
add a parameter to sendNotification to block unknown push services.

Jordan Brennan · Answer 2 · Tue May 09 2023 23:19:48 GMT+0800 (China Standard Time)

In theory, one might want to run their push service.

If I understand you correctly, it's impossible to get a browser to subscribe to your own push service. PushManager.subscribe() internally calls the browser vendor's own private push service and you have no way of changing that.

Marco Castelluccio · Answer 3 · Tue May 09 2023 23:22:26 GMT+0800 (China Standard Time)

In Firefox you can change it by setting some internal preferences. If you are a big organization who wants to have a private push service, you could do that.

Jordan Brennan · Answer 4 · Tue May 09 2023 23:29:48 GMT+0800 (China Standard Time)

Oh interesting. I'll pray for any org who goes down that path :)

Marco Castelluccio · Answer 5 · Tue May 09 2023 23:42:45 GMT+0800 (China Standard Time)

It's not too complex, you "just" need to use an open source Web Push server like https://github.com/mozilla-services/autopush-rs/ and deploy it somewhere :)

Stanislav Khromov · Answer 6 · Wed Jun 28 2023 03:09:40 GMT+0800 (China Standard Time)

This just adds an unnecessary time bomb to the library if any of the vendors decide to change their push service domain, or if any new vendors start to run their own services. If someone is this paranoid about security, it's better to whitelist it on the DNS layer.

Jordan Brennan · Answer 7 · Fri Jun 30 2023 00:18:22 GMT+0800 (China Standard Time)

Ok I understand the hesitation because things can and do change and you don't want to burden the library with that maintenance. To be fair, there's no "paranoia" here. Attacks have and will happen, like android.chromlum.info which was a malicious web push endpoint.

There's not a lot of good resources to help guard against this, perhaps this lib could simply add some info/resources in its docs?

Marco Castelluccio · Answer 8 · Fri Jun 30 2023 06:14:52 GMT+0800 (China Standard Time)

I would accept a PR to do one or both of the things in #801 (comment).