[GH-ISSUE #1497] ntfy.sh/app WebPush Notifications do not work with ntfy UnifiedPush Distributor #1057

New issue

Open

opened 2026-05-07 00:29:56 +02:00 by BreizhHardware · 9 comments

BreizhHardware commented 2026-05-07 00:29:56 +02:00

Owner

Copy link

Originally created by @bam80 on GitHub (Nov 24, 2025).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1497

🔮 Additional context

They only work with Sunup.
See details here:
https://codeberg.org/UnifiedPush/wishlist/issues/27#issuecomment-5786435
Why it doesn't work:

They use an allow list: binwiederhier/ntfy@3c8ac4a1e1/server/server_webpush.go (L20)

Originally created by @bam80 on GitHub (Nov 24, 2025). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/1497 :crystal_ball: **Additional context** <!-- Add any other context about the problem here. --> They only work with Sunup. See details here: https://codeberg.org/UnifiedPush/wishlist/issues/27#issuecomment-5786435 Why it doesn't work: > They use an allow list: [binwiederhier/ntfy@3c8ac4a1e1/server/server_webpush.go (L20)](https://github.com/binwiederhier/ntfy/blob/3c8ac4a1e14919705b305d7eddc89e546c7bac56/server/server_webpush.go#L20)

BreizhHardware added the

🪲 bug

label 2026-05-07 00:29:56 +02:00

BreizhHardware commented 2026-05-07 00:29:56 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Feb 1, 2026):

I'm paging @p1gp1g for help on this one. Is this something that can be easily addressed in ntfy?

<!-- gh-comment-id:3831298327 --> @binwiederhier commented on GitHub (Feb 1, 2026): I'm paging @p1gp1g for help on this one. Is this something that can be easily addressed in ntfy?

BreizhHardware commented 2026-05-07 00:29:56 +02:00

Author

Owner

Copy link

@p1gp1g commented on GitHub (Feb 16, 2026):

I think it can be addressed easily: instead of relying on an allow list, you can use paranoid-http client for the POST to the push servers, it forbids private IPs

You can take example on common-proxies: codeberg.org/UnifiedPush/common-proxies@d0b7d9d14d/handler.go (L23)

If you also wish to push to a configured private IP - which is probably not the case for ntfy - you can add a configuration that allow a domain: codeberg.org/UnifiedPush/common-proxies@d0b7d9d14d/handler.go (L81)

<!-- gh-comment-id:3906874715 --> @p1gp1g commented on GitHub (Feb 16, 2026): I think it can be addressed easily: instead of relying on an allow list, you can use [paranoid-http](https://github.com/hakobe/paranoidhttp) client for the POST to the push servers, it forbids private IPs You can take example on [common-proxies](https://codeberg.org/UnifiedPush/common-proxies): https://codeberg.org/UnifiedPush/common-proxies/src/commit/d0b7d9d14d8bd0e334f236fa3e463581a67c56b7/handler.go#L23 If you also wish to push to a configured private IP - which is probably not the case for ntfy - you can add a configuration that allow a domain: https://codeberg.org/UnifiedPush/common-proxies/src/commit/d0b7d9d14d8bd0e334f236fa3e463581a67c56b7/handler.go#L81

BreizhHardware commented 2026-05-07 00:29:56 +02:00

Author

Owner

Copy link

@wrenix commented on GitHub (Mar 17, 2026):

I was already writing an duplicated Issue .. this problem exists also on own hosted WebPush-Server (e.g. autopush).

Please make the AllowList configurable.

<!-- gh-comment-id:4073599078 --> @wrenix commented on GitHub (Mar 17, 2026): I was already writing an duplicated Issue .. this problem exists also on own hosted WebPush-Server (e.g. autopush). Please make the AllowList configurable.

BreizhHardware commented 2026-05-07 00:29:57 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Mar 17, 2026):

I struggle to understand the use case entirely. I'm more than happy to implement thongs but I need to understand why.

The linked web push allowlist is hard coded because there are only 2-3 browsers out there and web push is used to push notifications to the browser. The browsers decide what URLs they register. So what web push URLs do we need to support here?!

<!-- gh-comment-id:4074116328 --> @binwiederhier commented on GitHub (Mar 17, 2026): I struggle to understand the use case entirely. I'm more than happy to implement thongs but I need to understand why. The linked web push allowlist is hard coded because there are only 2-3 browsers out there and web push is used to push notifications to the browser. The browsers decide what URLs they register. So what web push URLs do we need to support here?!

BreizhHardware commented 2026-05-07 00:29:57 +02:00

Author

Owner

Copy link

@p1gp1g commented on GitHub (Mar 17, 2026):

There are 2-3 main browsers, but many smaller ones, some of them allow self-hosting the push server.

A proper way to manage this is to not use an allow-list, but to deny post requests to unauthorized IP instead - cf the go code I shared earlier

<!-- gh-comment-id:4074162638 --> @p1gp1g commented on GitHub (Mar 17, 2026): There are 2-3 main browsers, but many smaller ones, some of them allow self-hosting the push server. A proper way to manage this is to not use an allow-list, but to deny post requests to unauthorized IP instead - cf the go code I shared earlier

BreizhHardware commented 2026-05-07 00:29:57 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Mar 17, 2026):

Understood. The "proper" way is debatable. I have worked really hard to not allow any http requests to other servers from the ntfy server, because it can be a potential attack vector (not just for private IPs). I don't really want ntfy.sh to reach out to random other servers.

I'll likely add an allowlist for this then. What browsers can this be tested with?

How is this related to UP? Web push isn't used for UP yet. Or is it and I forgot?

<!-- gh-comment-id:4074186942 --> @binwiederhier commented on GitHub (Mar 17, 2026): Understood. The "proper" way is debatable. I have worked really hard to not allow any http requests to other servers from the ntfy server, because it can be a potential attack vector (not just for private IPs). I don't really want ntfy.sh to reach out to random other servers. I'll likely add an allowlist for this then. What browsers can this be tested with? How is this related to UP? Web push isn't used for UP yet. Or is it and I forgot?

BreizhHardware commented 2026-05-07 00:29:57 +02:00

Author

Owner

Copy link

@p1gp1g commented on GitHub (Mar 17, 2026):

Yep, the other issue may be a DOS amplification on some app, but it doesn't apply to ntfy as an event can't trigger push notifications from multiple server at once. This issue is resolved by another mechanism: during the registration of the push endpoint, the server sends a token the client must validate before sending the other push notifications. So we know it is a valid push server. If an attacker changes their push server to a targeted server, it would fail during TLS negociation, and the server is usally cached as unreachable at this moment

<!-- gh-comment-id:4074230561 --> @p1gp1g commented on GitHub (Mar 17, 2026): Yep, the other issue may be a DOS amplification on some app, but it doesn't apply to ntfy as an event can't trigger push notifications from multiple server at once. This issue is resolved by another mechanism: during the registration of the push endpoint, the server sends a token the client must validate before sending the other push notifications. So we know it is a valid push server. If an attacker changes their push server to a targeted server, it would fail during TLS negociation, and the server is usally cached as unreachable at this moment

BreizhHardware commented 2026-05-07 00:29:57 +02:00

Author

Owner

Copy link

@wrenix commented on GitHub (Mar 17, 2026):

The Browser Fennec (on F-Droid patches here: https://gitlab.com/relan/fennecbuild) and IronFox (https://ironfoxoss.org/). Support the usage of UnifiedPush (for WebPush). So this Browser could use any UnifiedPush-Provider to implement WebPush (and with it any Domain/Server).

<!-- gh-comment-id:4074238494 --> @wrenix commented on GitHub (Mar 17, 2026): The Browser Fennec (on F-Droid patches here: https://gitlab.com/relan/fennecbuild) and IronFox (https://ironfoxoss.org/). Support the usage of UnifiedPush (for WebPush). So this Browser could use any UnifiedPush-Provider to implement WebPush (and with it any Domain/Server).

BreizhHardware commented 2026-05-07 00:29:57 +02:00

Author

Owner

Copy link

@p1gp1g commented on GitHub (Mar 17, 2026):

And yes, UnifiedPush app server to push server is defined by web push (RFC8030, RFC8291, RFC8292) now for ~1.5 years.

2 of the browsers that allow to self-host the push server do it via UnifiedPush

<!-- gh-comment-id:4074240859 --> @p1gp1g commented on GitHub (Mar 17, 2026): And yes, UnifiedPush app server to push server is defined by web push (RFC8030, RFC8291, RFC8292) now for ~1.5 years. 2 of the browsers that allow to self-host the push server do it via UnifiedPush

BreizhHardware referenced this issue 2026-05-07 01:02:25 +02:00

[PR #1057] [CLOSED] add templating for title and message fields #1504

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#1057

No description provided.