XF 2.2 Push Notifications - IP Reveal?

[rosal]

The Push Notifications can reveal the origin server IP, even if i use Cloudflare?

 

[Chris D]

I don’t think the server IP address is leaked in the process as far as I know.

 

[Kirby]

I don’t think the server IP address is leaked in the process as far as I know.

Hmm, don't the endpoint push servers get the IP address of the server initiating the push?
I can't think of any way this would not be the case, except if using a proxy or VPN in which case the IP does get "leaked" to that proxy or VPN host.

 

[Mike]

The push endpoint would get the server IP.

 

[rosal]

The push endpoint would get the server IP.

And who is the push endpoint?
Is not the user browser?

 

[Chris D]

Hmm, do the endpoint push servers not get the IP address of the server initiating the push?
I can't think of any way this would not be the case, except if using a proxy or VPN in which case the IP does get "leaked" to that proxy or VPN host.

Yes but as these are typically controlled by Google, Mozilla, Microsoft etc. this shouldn’t be an issue in terms of IP protection purposes. In this context they would be trusted.

The IP address isn’t leaked to the person who receives the push notification i.e. a potentially untrusted party to the best of my knowledge.

 

[Chris D]

So we've made a little change here for 2.2.6.

If you have a HTTP proxy configured in your src/config.php then this will be used to proxy the push notifications to the cloud messaging endpoint.

This essentially removes the risk of an untrustworthy endpoint being injected for the sole purpose of leaking an IP address.

 

[rosal]

Nice, this way is more secure to use Push Notifications