The Notifications API [0] allows websites to show notifications outside of the browser viewport, integrating into the native OS-like notification system. In combination with service workers this can be used to send push notifications that work even when the website is not opened. While the latter has always required secure context [1], the plain Notifications API in Firefox has been available to sites loaded over insecure connections so far.
Notifications is a powerful feature that should not be exposed to websites over HTTP and we intend to deny permission requests for Notifications that were not made in secure contexts from Firefox 67. This supports our general policy that already made us disallow geolocation on insecure contexts [2]. Blink shipped this change over a year ago: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/IVgkxkRNtMo/discussion Around 2% of notification permission requests are currently done over HTTP in Firefox Beta 65 [3]. The resulting breakage should, in many cases, not affect the overall website functionality. I plan to make this change in bug 1429432 [4] and let it ride the trains targeting Firefox 67. Instead of restricting the Notification.requestPermission API via [SecureContext] attribute, we will follow the pattern established by other browsers and deny the permission without asking the user. We will also log a warning to the developer console, similar to the geolocation one. Standardization is tracked in https://github.com/whatwg/notifications/issues/93. Thanks, Johann [0] https://notifications.spec.whatwg.org/ [1] https://www.w3.org/TR/secure-contexts/ [2] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BvcsTpAqIsQ [3] https://mzl.la/2H2dJmW [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1429432 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
