In short, there's a single, persistent websocket connection between you and a broker service run by your browser vendor. Each subscription has a unique, anonymous URL on that service that gets provided to the website. To prevent abuse, there are throttles / quotas / limits imposed on push messages that do not show user-visible notifications.
The source to Mozilla's broker, autopush, is at https://github.com/mozilla-services/autopush. We recently rewrote it from Go into Python, which we now run with PyPy in production.
That means that Mozilla, as an example of a browser vendor, knows anything any site which uses that feature wants to notify me, including mails and messages from those sites?
All data brokered by the service must be encrypted to a keypair whose private key is held only by the end user's browser, using the scheme described in the webpush-encryption IETF draft spec at https://tools.ietf.org/html/draft-ietf-webpush-encryption-01
I wonder about metadata, though. While Mozilla doesn't know the contents of messages, it's still generally well aware of who (sender IP) is sending messages to whom (receiver IP) - is that correct?
(I suppose this can be somewhat mitigated by running private self-hosted autopush instance and replacing dom.push.serverURL)
In short, there's a single, persistent websocket connection between you and a broker service run by your browser vendor. Each subscription has a unique, anonymous URL on that service that gets provided to the website. To prevent abuse, there are throttles / quotas / limits imposed on push messages that do not show user-visible notifications.
The source to Mozilla's broker, autopush, is at https://github.com/mozilla-services/autopush. We recently rewrote it from Go into Python, which we now run with PyPy in production.