Open collimarco opened 1 year ago
Seen from another perspective: if the key pair changes, also the endpoint MUST change. Having the same endpoint, but different keys at different times, would be extremely confusing and error-prone (I don't think that browsers are doing this, but it's better to clarify that in the standard).
When a push subscription is refreshed, I assume that the new push subscription is a completely different object, with different endpoint and different keys.
Having a guarantee that all subscription fields (endpoint and keys) are immutable, allows an application server that stores the subscriptions in a database to mark the fields as immutable and thus protect the integrity of subscriptions.
I think that the behavior is already correct in the browsers (do you confirm?). However, you need to clarify the sentence in the standard to make it more explicit:
https://www.w3.org/TR/push-api/#subscription-refreshes
[[Bold]] is mine, it's the change.