Web Push Pitfall

Posted on March 30, 2023 • 2 minute read

Whilst implementing Web Push notifications for my toy Q&A service curiouswolf I ran into an issue that led to me being stumped for hours. I was successfully receiving notifications from my server when using Chrome, but no matter what Safari was not playing ball.

Web Push requires the browser maintainers to run a notification endpoint. For example, when you use Google Chrome and you enable notifications on a page, your encrypted notifications get funneled through a server Google controls. In the case of Safari however, their endpoint was returning BadJwtToken for me despite it being considered valid by Google.

The Solution

It turns out that Apple (and Mozilla apparently) require you to include a sub claim in your JWT with a method of contact (such as an email) for them to consider it valid.

If you are providing an email, the sub claim should be prefixed with mailto:

{
  "sub": "mailto:admin@example.com", // <-- The important part
  "aud": "https://web.push.apple.com",
  "exp": "1680135079"
}

The reasoning behind this is to provide the operator of the endpoint with a means of contacting you if there's an issue. However, this technically goes against the Web Push spec, and it's frustrating that something like this isn't spelled out clearly in Apple or Mozilla's technical documentation.

Apple quite regularly leave important information out of their docs for web APIs like this, but it's really messed up that the only place Mozilla talk about this is in a blog post from 2016.

There was a comment section here. It's gone now.

As of March 16th, 2025 the United Kingdom's Online Safety Act has gone into full effect. The law presents a lot of challenges for hobbyist websites like this one to present any user-to-user content (like y'know, blog comments) and comes with some pretty serious repercussions for non-compliance.

The odds of Ofcom (the regulator whose job is to enforce this) kicking my door down over this blog are low if we are being honest with ourselves. But the odds are at least somewhere above zero and the punishment is a life ruining £18 million fine(!!) so it's just not worth the risk.

A kind lawyer has written up the implications of this law for self-run blogs like this one and the only way to guarantee that I am not in-scope would be to manually review all comments made before being available to the public. Not to be a big baby about it all but I don't really want to do this! I liked my current setup!

So I guess as a little act of protest and to hedge against any risk I've removed the comment section entirely. Sorry about that!

If you want more information on this and how much this sucks for the hobbyist internet please read this writeup.