This document answers the questions raised in the Security and Privacy Questionnaire in context of the Push API.
The Push API issues a subscription that has an endpoint unique to the user. It persists until the subscription is cleared, either by the developer or by the user through Clear Site Data features provided by the user agent.
The specification states that endpoints must not be reused to avoid the creation of a persistent identifier.
The developer can specify an arbitrary payload that is to be included with the push message. Such a payload must be encrypted in accordance with draft-ietf-webpush-encryption to make sure that third parties, including the push service (a mandatory intermediary), cannot gain access to it.
3.3 Does this specification introduce new state for an origin that persists across browsing sessions?
Yes, a push subscription.
No.
3.5 Does this specification expose any other data to an origin that it doesn’t currently have access to?
No.
Yes. The Push API enables developers to wake up their Service Worker remotely, without depending on the user to have an open window or tab to the origin, or, in some cases, without depending on the browser to be running at all.
Potentially, through IP-to-location mechanisms when the Service Worker issues a fetch.
No.
3.9 Does this specification allow an origin access to aspects of a user’s local computing environment?
The user agent selects a push service, which might be shared with other applications on the device. The identity of the push service is available to the developer through the subscription's endpoint.
No.
No.
No. (See 3.1. and 3.3. for details on the push subscription.)
No.
This is not defined by the specification.
In practice, existing implementations disable the Push API in Private Browsing mode largely due to a dependency on notifications ("Push Notifications"), which makes it challenging to provide a clear user experience given the constraints of Private Browsing.
Yes. At most once push subscription per Service Worker, which includes an endpoint, a P-256 EC key pair and a 16-byte authentication secret. User agents may need to store additional data depending on the push service they interact with.
The lifetime of the subscription is tied to the lifetime of the Service Worker, which will be removed by Clear Site Data features available in the user agent.
Yes.
No.