Demystifying Web Push Notifications

&gt; <i>ChatGPT struggled to generate any good code for me, and I also struggled to find any minimal clear explanations online.</i><p>The two are probably related...

Web push is basically useless because Google hasn&#x27;t prioritized fixing the issues causing Android to delay the notifications by 10 minutes or more. They are basically only useful for &quot;re-engagement&quot; spam, nothing time critical.<p><a href="https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;chromium&#x2F;issues&#x2F;detail?id=777106" rel="nofollow noreferrer">https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;chromium&#x2F;issues&#x2F;detail?id=777106</a><p>There are a whole bunch of sad bugs about Web Push in the issue tracker. It&#x27;s disappointingly typical of the PWA APIs. They sound like they have the capabilities you need until you try to use them and uncover a minefield of five year old known issues that will never be fixed.

How the push service delivers the message to the browser is still mysterious to me. Is Firefox simply hardcoded to poll Mozilla&#x27;s push service?

I&#x27;m surprised to learn that this isn&#x27;t an open standard. E.g I must make an API call to a browser vendor. Is this a form of vendor lock-in?

If you&#x27;re like me you might want to take this as a push to disable all notifications in Firefox:<p><a href="https:&#x2F;&#x2F;superuser.com&#x2F;questions&#x2F;1300131&#x2F;how-to-completely-disable-push-notifications-in-firefox" rel="nofollow noreferrer">https:&#x2F;&#x2F;superuser.com&#x2F;questions&#x2F;1300131&#x2F;how-to-completely-di...</a>

&quot;You’ll receive an error if a user has revoked the notification permission on your page (or if the subscription has expired). You can catch these errors and remove invalid subscriptions.&quot;<p>From an outside perspective, this doesn&#x27;t seem right -- wouldn&#x27;t you want to <i>check</i> the error is because the channel has been revoked? It could be due to a temporary outage on either your side or the push server itself. With the code above, you might end up revoking all of your push subscriptions (upon broadcast) if your network goes down.

I have written one blog introducing Web Push Notifications on iOS<p><a href="https:&#x2F;&#x2F;taoshu.in&#x2F;web&#x2F;push-on-ios.html" rel="nofollow noreferrer">https:&#x2F;&#x2F;taoshu.in&#x2F;web&#x2F;push-on-ios.html</a>

Good article. Another VAPID key generator site is helpful, too bad it doesn&#x27;t seem to work. And even when you have what seems like a valid key, browsers might give errors of the form &quot;Invalid VAPID token&quot; which are very frustrating... And sometimes only happen in Firefox vs Chrome. Would like to see anyone do a more thorough write-up of this part though:<p>&gt; In order to send web push notifications from your backend application server, you have to construct, encode, and encrypt the messages properly.<p>Basically, that&#x27;s the hardest part, if you don&#x27;t have library support of someone having done it for you already.<p>Web Push is both simple in design and yet frustrating. I gained some sympathy for sites that have opted not to support it after trying to do it myself without a library on a test page. (I&#x27;d only do it for real if anyone besides myself would use it, and just use the library.)

Great article, thank you for sharing! The web-push package has a generateVAPIDKeys have you tried that? Was it not good since you use vapidkeys.com?

I do like Web Push Notifications.<p>But the way chrome implemented them on Windows makes them the perfect tool for social engineering, sneaking advertisement into windows and other malicious use cases.<p>Worse the controls for disabling them had been a complete UX nightmare last time I took a look at it (both in FF and Chrome; nightmare as in inexperienced users will have issues doing so) making it even more perfect for abuse.<p>And instead of fixing that Google decided to make it semi unusable for many proper use-cases (and FF didn&#x27;t fix that either).<p>To top that off last time I tried to use them they didn&#x27;t work on Firefox no idea if that was my firewall, uBlock, Firefox or the websites fault.

I wrote my own push notification in PHP using Server Sent Events.<p>Basically it looks on the database for notifications not sent that are new and then send them.<p>You need to have your browser running in the background but it worked fine for me.<p>Never tested it in large scale though.<p><a href="https:&#x2F;&#x2F;youtu.be&#x2F;D4wimodtpKk" rel="nofollow noreferrer">https:&#x2F;&#x2F;youtu.be&#x2F;D4wimodtpKk</a>

Srs question, does anyone actually use these?

Sad state of PWA: we can send messages to thousands of browsers, but still cannot fire single local alarm on local device which is offline.

great &#x2F; detailed write-up OP. <i>hat-tip</i>

That is actually pretty cool.<p>But no, I have that turned off. I&#x27;ve never seen a purpose beyond spam.

Strange, browser tells me domain pqvst.com does not exists

&quot;While you can technically generate your VAPID keys by yourself, it is much easier to use a generator, like vapidkeys.com, which will generate a set of keys for you.&quot;<p>Please don&#x27;t use online tools to generate private keys. Not CSRs, not WG configs or bitcoin wallets, Nothing. Just don&#x27;t.

Hm, it looks like all Chromium-based browsers, including Edge, Brave, and Samsung Internet, use Google’s endpoint for web push subscriptions. Is that true? If yes, is that a potential privacy issue?