Sending web push notifications directly from a browser to another, using the Push API protocol, is not a secure practice. Now CORS is finally removed from all browser push services.
In the last days CORS support was removed from Mozilla Autopush, and this is a deliberate choice, as confirmed in the comments on GitHub:
Mozilla Autopush was the only push service that allowed that.
This means that now all major push services (Mozilla Autopush, FCM, WNS, etc.) block the Web Push requests coming directly from a browser. This imply that browsers cannot send notifications directly to another browser. They need to use an intermediate server, as already explained in this article.
We welcome this decision, because using the current standard (Push API) directly from clients would have opened a lot of security issues.
We can’t think of any real-word scenario where “P2P Web Push” can be used securely.
In a P2P scenario, a user would share his endpoint (device identifier) directly with other users, but notifications are associated to a domain name! Basically the notifications are associated to the domain authority and its permissions…
For example, a random user that receives the endpoint of another user could:
- share the endpoint publicly
- someone can send phishing or any other dangerous content to that user
… and the domain displayed in the notification (that will be probably blocked by any antivirus, etc.) is the original domain.
In order to avoid that, it’s better to keep the VAPID keys secret on the application server (or use a service like Pushpad which takes care of that).
Finally, if you want to send web push notifications from a browser to another using the best practices, we recommend to read this related article.