That means that Mozilla, as an example of a browser vendor, knows anything any site which uses that feature wants to notify me, including mails and messages from those sites?
All data brokered by the service must be encrypted to a keypair whose private key is held only by the end user's browser, using the scheme described in the webpush-encryption IETF draft spec at https://tools.ietf.org/html/draft-ietf-webpush-encryption-01
I wonder about metadata, though. While Mozilla doesn't know the contents of messages, it's still generally well aware of who (sender IP) is sending messages to whom (receiver IP) - is that correct?
(I suppose this can be somewhat mitigated by running private self-hosted autopush instance and replacing dom.push.serverURL)
> a broker service run by your browser vendor
That means that Mozilla, as an example of a browser vendor, knows anything any site which uses that feature wants to notify me, including mails and messages from those sites?