User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160420030213 Steps to reproduce: 1. Go to https://serviceworke.rs/push-simple_demo.html. 2. A user gives permission to web push. 3. Delete service worker registration from "about:serviceworkers". 4. Push subscription will remain on Firefox. Actual results: When a user deletes service worker registration, push subscription will remain on Firefox. Although push subscription will be deactivated, so a user will no longer be able to receive a push message. W3C stated... ----------------------------------------- 5. Security and privacy considerations When a service worker registration is unregistered, any associated push subscription must be deactivated. Source: https://w3c.github.io/push-api/#security-and-privacy-considerations 4.3 Push subscription When a push subscription is deactivated, both the user agent and the push service must delete any stored copies of its details. Source: https://w3c.github.io/push-api/#push-subscription ----------------------------------------- After a service worker registration is unregistered, remained subscription will reveal push end point(URL). Does that mean Firefox violates section 4.3? Expected results: When a service worker registration is deleted, push API subscription will also be deleted completely.

I forgot to mention my tested environment. OS: ubuntu 14.04 64 bit browser: Firefox Nightly 48.0a1 and Firefox 46.0. --------------------------------------------------------- I uploaded my poc video to google drive. Please watch it. https://drive.google.com/open?id=0B1vJ77JB-BeoRElEOEUteUZwZzA

Thanks for reporting this! There's a patch that fixes this in bug 1185716, but it's blocked on test failures caused by invalidating quota manager storage (https://bugzilla.mozilla.org/show_bug.cgi?id=1185716#c13).

Is this report duplicate? If so, I'm really sorry.

No worries at all! I think we can close this as a duplicate, yes. We can reopen if this should be tracked separately.

(In reply to Kit Cambridge [:kitcambridge] from comment #4) > No worries at all! I think we can close this as a duplicate, yes. We can > reopen if this should be tracked separately. > > *** This bug has been marked as a duplicate of bug 1185716 *** Can we open this bug up considering that bug is public? Is it really sec-sensitive anyway?

Thanks, dveditz!