PubSubHubbubの後継なのか名前が変わったのかよくわからないが、WebSubってのが新しくW3C勧告候補に昇格らしいので、とりあえずW3CのドキュメントをGoogle翻訳使いながら翻訳してみる。
元のドキュメント（W3C）

量が多くて大変なので、出来れば誰か手伝って欲しい...もしくは誰か翻訳してくんないかなぁ...
https://gist.github.com/tao-s/5f060640830e47971209ffcc804ff4b5

WebSub

W3C Candidate Recommendation 11 April 2017

This version:: https://www.w3.org/TR/2017/CR-websub-20170411/
Latest published version:: https://www.w3.org/TR/websub/
Latest editor's draft:: https://w3c.github.io/websub/
Test suite:: https://websub.rocks/
Implementation report:: https://github.com/w3c/websub/tree/master/implementation-reports
Previous version:: https://www.w3.org/TR/2016/WD-websub-20161124/
Editors:: Julien Genestoux; Aaron Parecki
Author:: Julien Genestoux
Past Authors:: Brad Fitzpatrick; Brett Slatkin; Martin Atkins
Repository:: Github; Issues; Commits

概要

WebSubはあらゆる種類のWebコンテンツのパブリッシャとサブスクライバー間の通信にHTTP Webフックをベースとした共通のメカニズムを提供します。サブスクリプションリクエストは、リクエストを検証するハブを介してリレーされます。その後、ハブは利用可能になったときに新しいコンテンツと更新されたコンテンツをサブスクライバに配信します。 WebSubは以前はPubSubHubbubとして知られていました。

この文書のステータス

このセクションでは、このドキュメントの発行時点におけるステータスについて説明します。他のドキュメントは、このドキュメントよりも優先されます。現在のW3C technical reports indexの出版物のリストとこの技術レポートの最新の改訂版は、 W3C technical reports indexテクニカルレポートのインデックスは https://www.w3.org/TR/ でご覧いただけます。

This document was published by the Social Web Working Group as a Candidate Recommendation. This document is intended to become a W3C Recommendation. If you wish to make comments regarding this document, please send them topublic-socialweb@w3.org (subscribe, archives). W3C publishes a Candidate Recommendation to indicate that the document is believed to be stable and to encourage implementation by the developer community. This Candidate Recommendation is expected to advance to Proposed Recommendation no earlier than 11 May 2017. All comments are welcome.

Please see the Working Group's implementation report.

Publication as a Candidate Recommendation does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 1 March 2017 W3C Process Document.

リスクのある機能（実装間に合わんかったやつ?）

これらの機能にはリスクがあります。; if interoperable implementations are not found, they may be removed to advance the other features in this specification to Proposed Recommendation:

Host-Metaの発見方法
<link>タグの制限は、HTML文書の<head>に制限されています

This document is currently a W3C TR track document. Current bugs and issues are managed in GitHub.

1. 定義

トピック: HTTP [RFC7230]リソースURL。自分が購読可能なユニット。
ハブ ("the hub"): このプロトコルの両側を実装するサーバー（URL [WHATWG-URL]）。どんなハブもそれを誰が使うことができるかについて独自のポリシーを実装してもよい（MAY）。
パブリッシャー（出版者）: An owner of a topic. Notifies the hub when the topic feed has been updated. As in almost all pubsub systems, the publisher is unaware of the subscribers, if any. Other pubsub systems might call the publisher the "source".
サブスクライバー（購読者）: An entity (person or program) that wants to be notified of changes on a topic. The subscriber must be directly network-accessible and is identified by its Subscriber Callback URL.
サブスクリプション（購読）: A unique relation to a topic by a subscriber that indicates it should receive updates for that topic. A subscription's unique key is the tuple (Topic URL, Subscriber Callback URL). Subscriptions may (at the hub's decision) have expiration times akin to DHCP leases which must be periodically renewed.
サブスクライバーコールバック URL: The URL [WHATWG-URL] at which a subscriber wishes to receive notifications.
イベント: An event that causes updates to multiple topics. For each event that happens (e.g. "Brad posted to the Linux Community."), multiple topics could be affected (e.g. "Brad posted." and "Linux community has new post"). Publisher events cause topics to be updated and the hub looks up all subscriptions for affected topics, sending out notifications to subscribers.
通知: A payload describing how a topic's contents have changed, or the full updated content. Depending on the topic's content type, the difference (or "delta") may be computed by the hub and sent to all subscribers.

2. ハイレベルプロトコルフロー

(このセクションは参考（non-normative）セクションです)

パブリッシャーは彼らのトピックが変更された時に彼らのハブにURLを通知します。
サブスクライバーは、興味を持っているトピックを、それが告知されているハブの1つ以上にPOSTします。
ハブは、トピックの変更を識別すると、登録されたすべてのサブスクライバに通知を送信します。

このプロトコルの以前のバージョンはPubSubHubbubと呼ばれました:

Working Draft 0.3 [PubSubHubbub-Core-0.3]
Working Draft 0.4 [PubSubHubbub-Core-0.4]

3. 準拠

この文書のキーワード "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", " SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", "OPTIONAL"は[RFC2119]で説明されているように解釈される。

3.1 準拠クラス

WebSubには、パブリッシャー、サブスクライバー、ハブの3つの役割が記述されています。このセクションでは、各ロールの適合基準について説明します。

パブリッシャー

MUST 適合するパブリッシャーは、発見（Discovery）で説明されている特定のリソースURLであるトピックURLとハブURLを宣言しなければならない。

サブスクライバー

A conforming subscriber:

MUST support each discovery mechanism in the specified order to discover the topic and hub URLs as described in Discovery.
MUST send a subscription request as described in Subscriber Sends Subscription Request.
MAY request a specific lease duration
MAY include a secret in the subscription request, and if it does, then MUST use the secret to verify the signature in the content distribution request.
MUST acknowledge a content distribution request with an HTTP 2xx status code.
MAY request that a subscription is deactivated using the "unsubscribe" mechanism.

Hubs

A conforming hub:

MUST accept a subscription request with the parameters hub.callback, hub.mode and hub.topic.
MUST accept a subscription request with a hub.secret parameter.
MAY respect the requested lease duration in subscription requests.
MUST allow subscribers to re-request already active subscriptions.
MUST support unsubscription requests.
MUST send content distribution requests with a matching content type of the topic URL.
MAY reduce the payload of the content distribution to a diff of the contents for supported formats as described in Content Distribution.
MUST send a X-Hub-Signature header if the subscription was made with a hub.secret as described in Authenticated Content Distribution.

3.2 Candidate Recommendation Exit Criteria

For this specification to exit the CR stage, there must be at least two independent, interoperable implementations of each feature. Each feature may be implemented by a different set of products. There is no requirement that all features be implemented by a single product. For the purposes of this criterion, we define the following terms:

3.2.1 Publisher

A WebSub Publisher is an implementation that advertises a topic and hub URL on one or more resource URLs. The conformance criteria are described in Conformance Classes above.

3.2.2 Subscriber

A WebSub Subscriber is an implementation that discovers the hub and topic URL given a resouce URL, subscribes to updates at the hub, and accepts content distribution requests from the hub. The subscriber MAY support authenticated content distribution. The conformance criteria are described in Conformance Classes above.

3.2.3 Hub

A WebSub Hub is an implementation that handles subscription requests and delivers notifications to subscribers when the corresponding topic URL has been updated. Hubs MUST support subscription requests with a secret and deliver authenticated notifications when requested. Hubs MUST deliver the full contents of the topic URL in the notification, and MAY reduce the payload to a diff if the content type supports it. The conformance criteria are described in Conformance Classes above.

3.2.4 Independent

Each implementation must be developed by a different party and cannot share, reuse, or derive from code used by another qualifying implementation. Sections of code that have no bearing on the implementation of this specification are exempt from this requirement.

3.2.5 Interoperable

A Subscriber and Hub implementation are considered interoperable for a specific feature when the Hub takes the defined action that the Subscriber requests, the Subscriber gets the expected response from a Hub according to the feature, and the Hub sends the expected response to the Subscriber.

3.2.6 Feature

For the purposes of evaluating exit criteria, each of the following is considered a feature:

Discovering the hub and topic URLs by looking at the HTTP headers of the resource URL.
Discovering the hub and topic URLs by looking at the contents of the resource URL as an XML document.
Discovering the hub and topic URLs by looking at the contents of the resource URL as an HTML document.
Discovering the hub URL by using the Host-Meta Well-Known URI.
Subscribing to the hub with a callback URL.
Subscribing to the hub and requesting a specific lease duration.
Subscribing to the hub with a secret and handling authenticated content distribution.
Requesting that a subscription is deactivated by sending an unsubscribe request.
The Subscriber acknowledges a pending subscription on a validation request.
The Subscriber rejects a subscription validation request for an invalid topic URL.
The Subscriber returns an HTTP 2xx response when the payload is delivered.
The Subscriber verifies the signature for authenticated content distribution requests.
The Subscriber rejects the distribution request if the signature does not validate.
The Subscriber rejects the distribution request when no signature is present if the subscription was made with a secret.
The Hub respects the requested lease duration during a subscription request.
The Hub allows Subscribers to re-request already active subscriptions, extending the lease duration.
The Hub sends the full contents of the topic URL in the distribution request.
The Hub sends a diff of the topic URL for the formats that support it.
The Hub sends a valid signature for subscriptions that were made with a secret.

4. Discovery

The discovery mechanism aims at identifying at least 2 URLs.

The URL of the hub(s) designated by the publisher. If more than one URL is specified, it is expected that the publisher pings each of these URLs, so the subscriber may subscribe to one or more of these.
The canonical URL for the topic to which subscribers are expected to use for subscriptions.

The protocol currently supports the following discovery mechanisms. Publishers MUST implement at least one of them:

Link Headers [RFC5988]: the publisher SHOULD include at least one Link Header [RFC5988] with rel=hub (a hub link header) as well as exactly one Link Header [RFC5988] with rel=self (the self link header)
If the topic is an XML based feed, publishers SHOULD use embedded link elements as described in Appendix B of Web Linking [RFC5988]. Similarly, for HTML pages, publishers SHOULD use embedded link elements as described in Appendix A of Web Linking [RFC5988]. However, for HTML, these <link> elements MUST be only present in the <head> section of the HTML document. (Note: The restriction on limiting <link> to the <head> is At Risk.)
Finally, publishers MAY also use the Host-Meta Well-Known URI [RFC6415] /.well-known/host-meta to include the <Link> element with rel="hub". However, please note that this mechanism is currently At Risk and may be deprecated.

Example 1

GET /feed HTTP/1.1
Host: example.com

HTTP/1.1 200 Ok
Content-type: text/html
Link: <https://hub.example.com/>; rel="hub"
Link: <http://example.com/feed>; rel="self"

<!doctype html>
<html>
<head>
<link rel="hub" href="https://hub.example.com/">
<link rel="self" href="http://example.com/feed">
</head>
<body>
...
</body>
</html>

When perfoming discovery, subscribers MUST implement all three discovery mechanisms in the following order, stopping at the first match:

Issue a GET or HEAD request to retrieve the topic URL. Subscribers MUST check for HTTP Link headers first.
In the absence of HTTP Link headers, and if the topic is an XML based feed or an HTML page, subscribers MUST check for embedded link elements.
In the absence of both HTTP Link headers and embedded link elements, subscribers MUST look in the Host-Meta Well-Known URI [RFC6415] /.well-known/host-meta for the <Link> element with rel="hub". However, please note that this mechanism is currently At Risk and may be deprecated.

Warning

Note: The Host-Meta method of discovery is currently At Risk and may be deprecated. The working group requests feedback on this issue, which can be discussed here.

4.1 Content Negotiation

For practical purposes, it is important that the rel=self URL only offers a single representation. As the hub has no way of knowing what mime-type may have been requested by the subscriber upon discovery, it would not be able to perform notifications using the same mime-type.

It is, however, possible to perform content negotiation by returning an appropriate rel=self URL according to the HTTP headers used in content negotiation. For example, a request to /feed with an Accept header containing application/json could return a rel=self value of /feed.json.

The example below illustrates how a topic URL can return different Link headers depending on the Accept header that was sent.

Example 2

GET /feed HTTP/1.1
Host: example.com
Accept: application/json

HTTP/1.1 200 Ok
Content-type: application/json
Link: </feed.json>; rel="self"
Link: <https://hub.example.com/>; rel="hub"

{
"items": [...]
}

Example 3

GET /feed HTTP/1.1
Host: example.com
Accept: text/html

HTTP/1.1 200 Ok
Content-type: text/html
Link: </feed.html>; rel="self"
Link: <https://hub.example.com/>; rel="hub"

<html>
...

5. Subscribing and Unsubscribing

Subscribing to a topic URL consists of four parts that may occur immediately in sequence or have a delay.

Requesting a subscription using the hub
Validating the subscription with the publisher (OPTIONAL)
Confirming the subscription was actually desired by the subscriber
Periodically reconfirming the subscription is still active (OPTIONAL)

Unsubscribing works in the same way, except with a single parameter changed to indicate the desire to unsubscribe. Also, the Hub will not validate unsubscription requests with the publisher.

5.1 Subscriber Sends Subscription Request

Subscription is initiated by the subscriber making an HTTPS or HTTP POST [RFC7231] request to the hub URL. This request MUST have a Content-Type header of application/x-www-form-urlencoded (described in Section 4.10.22.6 [HTML5]), MUST use UTF-8 [Encoding] as the document character encoding, and MUST use the following parameters in its body, formatted accordingly:

hub.callback: REQUIRED. The subscriber's callback URL where notifications should be delivered. The callback URL SHOULD be an unguessable URL that is unique per subscription. ([capability-urls])
hub.mode: REQUIRED. The literal string "subscribe" or "unsubscribe", depending on the goal of the request.
hub.topic: REQUIRED. The topic URL that the subscriber wishes to subscribe to or unsubscribe from. Note that this MUST be the "self" URL found during the discovery step, which may be different from the URL that was used to make the discovery request.
hub.lease_seconds: OPTIONAL. Number of seconds for which the subscriber would like to have the subscription active, given as a positive decimal integer. Hubs MAY choose to respect this value or not, depending on their own policies. This parameter MAY be present for unsubscription requests and MUST be ignored by the hub in that case.
hub.secret: OPTIONAL. A subscriber-provided secret string that will be used to compute an HMAC digest for authorized content distribution. If not supplied, the HMAC digest will not be present for content distribution requests. This parameter SHOULD only be specified when the request was made over HTTPS [RFC2818]. This parameter MUST be less than 200 bytes in length.

Subscribers MAY also include additional HTTP [RFC7230] request parameters, as well as HTTP [RFC7230] Headers if they are required by the hub.

Hubs MUST ignore additional request parameters they do not understand.

Hubs MUST allow subscribers to re-request subscriptions that are already activated. Each subsequent request to a hub to subscribe or unsubscribe MUST override the previous subscription state for a specific topic URL and callback URL combination, but only once the action is verified (Section 4.3). If verification fails, the subscription state MUST be left unchanged. This is required so subscribers can renew their subscriptions before the lease seconds period is over without any interruption. The subscriber MAY use a new hub.secret value in a future subscription, and MAY make a new subscription without a hub.secret.

5.1.1 Subscription Parameter Details

The topic and callback URLs MAY use HTTP or HTTPS [RFC7230] schemes. The topic URL MUST be the one advertised by the publisher in a Self Link Header during the discovery phase. (See Section 3 ). Hubs MAY refuse subscriptions if the topic URL does not correspond to the one advertised by the publisher. The topic URL can otherwise be free-form following the URL spec [WHATWG-URL]. Hubs MUST always decode non-reserved characters for these URL parameters; see section 1.2 on "Percent-encoded bytes" in [WHATWG-URL].

The callback URL SHOULD be an unguessable unique URL ([capability-urls]) and SHOULD use HTTPS [RFC7230]. The callback URL acts as authentication from the hub to the subscriber when confirming subscriptions and delivering notifications. Additionally, the callback SHOULD be unique (not re-used for multiple hubs) and changed when subscriptions are renewed.

The callback URL MAY contain arbitrary query string parameters (e.g., ?foo=bar&red=fish). Hubs MUST preserve the query string during subscription verification by appending new parameters to the end of the list using the & (ampersand) character to join. Existing parameters with names that overlap with those used by verification requests will not be overwritten. For event notification, the callback URL will be POSTed to including any query string parameters in the URL portion of the request, not as POST body parameters.

5.1.2 Subscription Response Details

If the hub URL supports WebSub and is able to handle the subscription or unsubscription request, it MUST respond to a subscription request with an HTTP [RFC7231] 202 "Accepted" response to indicate that the request was received and will now be verified (Section 4.3 ) and validated (Section 4.2 ) by the hub. The hub SHOULD perform the verification and validation of intent as soon as possible.

If a hub finds any errors in the subscription request, an appropriate HTTP [RFC7231] error response code (4xx or 5xx) MUST be returned. In the event of an error, hubs SHOULD return a description of the error in the response body as plain text, used to assist the client developer in understanding the error. This is not meant to be shown to the end user. Hubs MAY decide to reject some callback URLs or topic URLs based on their own policies (e.g., domain authorization, topic URL port numbers). However, since verification and validation of intent are asynchronous steps that logically begin after the HTTP response has been returned, the HTTP response MUST NOT depend on the process or outcome of verification or validation.

If the hub URL is not able to handle subscription or unsubscription requests, it MAY redirect to another hub which supports WebSub. It does so by yielding an HTTP [RFC7231] 307 (temporary redirect) or 308 (permanent redirect) response. It MUST also include at least a HTTP [RFC7230] Location Header containing a preferred URL reference for the hub to use by the subscriber. The subscriber is expected to retry the subscription or unsubscription at the new hub URL.

5.2 Subscription Validation

Subscriptions MAY be validated by the Hubs who may require more details to accept or refuse a subscription. The Hub MAY also check with the publisher whether the subscription should be accepted.

If (and when), the subscription is accepted, the hub MUST perform the verification of intent of the subscriber.

If (and when), the subscription is denied, the hub MUST inform the subscriber by sending an HTTP [RFC7231] GET request to the subscriber's callback URL as given in the subscription request. This request has the following query string arguments appended (format described in Section 4 of [WHATWG-URL]):

hub.mode: REQUIRED. The literal string "denied".
hub.topic: REQUIRED. The topic URL given in the corresponding subscription request.
hub.reason: OPTIONAL. The hub may include a reason for which the subscription has been denied.

Hubs may provide an additional HTTP [RFC7231] Location header (as described in section 7.1.2 of Hypertext Transfer Protocol [RFC7231]) to indicate that the subscriber may retry subscribing to a different hub.topic. This allows for limited distribution to specific groups or users in the context of social web applications.

The subscription MAY be denied by the hub at any point (even if it was previously accepted). The Subscriber SHOULD then consider that the subscription is not possible anymore.

5.3 Hub Verifies Intent of the Subscriber

In order to prevent an attacker from creating unwanted subscriptions on behalf of a subscriber (or unsubscribing desired ones), a hub must ensure that the subscriber did indeed send the subscription request.

The hub verifies a subscription request by sending an HTTP [RFC7231] GET request to the subscriber's callback URL as given in the subscription request. This request has the following query string arguments appended (format described in Section 4 of [WHATWG-URL]):

hub.mode: REQUIRED. The literal string "subscribe" or "unsubscribe", which matches the original request to the hub from the subscriber.
hub.topic: REQUIRED. The topic URL given in the corresponding subscription request.
hub.challenge: REQUIRED. A hub-generated, random string that MUST be echoed by the subscriber to verify the subscription.
hub.lease_seconds: REQUIRED/OPTIONAL. The hub-determined number of seconds that the subscription will stay active before expiring, measured from the time the verification request was made from the hub to the subscriber. Hubs MUST supply this parameter for subscription requests. This parameter MAY be present for unsubscribe requests and MUST be ignored by subscribers during unsubscription.

5.3.1 Verification Details

The subscriber MUST confirm that the hub.topic corresponds to a pending subscription or unsubscription that it wishes to carry out. If so, the subscriber MUST respond with an HTTP success (2xx) code with a response body equal to the hub.challenge parameter. If the subscriber does not agree with the action, the subscriber MUST respond with a 404 "Not Found" response.

The hub MUST consider other server response codes (3xx, 4xx, 5xx) to mean that the verification request has failed. If the subscriber returns an HTTP [RFC7231] success (2xx) but the content body does not match the hub.challenge parameter, the hub MUST also consider verification to have failed.

Hubs MAY make the hub.lease_seconds equal to the value the subscriber passed in their subscription request but MAY change the value depending on the hub's policies. To sustain a subscription, the subscriber MUST re-request the subscription on the hub before hub.lease_seconds seconds has elapsed.

Hubs MUST enfore lease expirations, and MUST NOT issue perpetual lease durations.

Note

The spec uses GET vs POST to differentiate between the confirmation/denial of the subscription request and delivering the actual notification. While this is not considered "best practice" from a web architecture perspective, it does make implementation of the callback URL simpler. Since the POST body of the notification may be any arbitrary content type and only includes the actual content of the document, using the GET vs POST distinction to switch between handling these two modes makes implementations simpler.

6. Publishing

The publisher MUST inform the hubs it previously designated when a topic has been updated. The hub and the publisher can agree on any mechanism, as long as the hub is eventually able send the updated payload to the subscribers.

7. Content Distribution

A content distribution request is sent from the Hub to the Subscriber when new content is available for a topic URL. The request is an HTTP [RFC7231] POST request from the hub to the subscriber's callback URL. The HTTP body of the POST request MUST include the payload of the notification. The content distribution request MUST have a Content-Type Header corresponding to the Content-Type of the topic, and MUST contain the full contents of the topic URL, with an exception allowed as described below.

For Atom ([RFC4287]) and RSS ([RSS-2.0]) feeds, the hub MAY remove already-delivered atom:entry or rss:item elements from the feed.

The request MUST include at least one Link Header [RFC5988] with rel=hub pointing to a Hub associated with the topic being updated. It MUST also include one Link Header [RFC5988] with rel=self set to the canonical URL of the topic being updated. The Hub SHOULD combine these headers into a single Link Header [RFC5988]. All these URLs are those resulting from the discovery process (Section 3). The subscriber MUST NOT use these Link headers to identify the subscription corresponding to the content distribution request, because the Link headers are metadata associated with the topic content, not with any particular subscription. A hub MAY use discovery from time to time to detect changes in a topic's canonical URL and Hub URLs. Any such changes will cause changes to the Link headers sent in subsequent content distribution requests.

The successful response from the subscriber's callback URL MUST be an HTTP [RFC7231] success (2xx) code. The hub MUST consider all other subscriber response codes as failures; that means subscribers MUST NOT use HTTP redirects for moving subscriptions. Subscribers SHOULD respond to notifications as quickly as possible; their success response code SHOULD only indicate receipt of the message, not acknowledgment that it was successfully processed by the subscriber. The response body from the subscriber MUST be ignored by the hub. Hubs SHOULD retry notifications up to self-imposed limits on the number of times and the overall time period to retry. When the failing delivery exceeds the hub's limits, the hub terminates the subscription.

7.1 Authenticated Content Distribution

If the subscriber supplied a value for hub.secret in their subscription request, the hub MUST generate an HMAC signature of the payload and include that signature in the request headers of the content distribution request. The X-Hub-Signature header's value MUST be in the form method=signature where method is one of the recognized algorithm names and signature is the, hexadecimal representation of the signature. The signature MUST be computed using the HMAC algorithm [RFC6151] with the request body as the data and the hub.secret as the key.

7.1.1 Recognized algorithm names

The following algorithms are the initially registered algorithm names, based on the contents of the referenced registry at the time of publishing. [FIPS PUB 180-4]

sha1: The SHA-1 algorithm as specified in Section 6.1 of [FIPS PUB 180-4]
sha256: The SHA-256 algorithm as specified in Section 6.2
sha384: The SHA-384 algorithm as specified in Section 6.5
sha512: The SHA-512 algorithm as specified in Section 6.4

In the future, any algorithm added to [FIPS PUB 180-4] SHOULD be supported by hubs and subscribers.

7.1.2 Signature validation

When subscribers receive a content distribution request with theX-Hub-Signature header specified, they SHOULD recompute the signature with the shared secret using the same method (provided in the X-Hub-Signature header) as the hub. If the signature does not match, subscribers MUST still return a 2xx success response to acknowledge receipt, but locally ignore the message as invalid. Using this technique along with HTTPS [RFC2818] for subscription requests enables simple subscribers to receive authenticated notifications from hubs without the need for subscribers to run an HTTPS [RFC2818] server.

Please note however that this signature only ensures that the payload was not forged. Since the notification also includes headers, these should not be considered as safe by the subscriber, unless of course the subscriber uses HTTPS [RFC2818] callbacks.

8. Security Considerations

Here is a summary of security considerations. It is important to note that WebSub is a server to server protocol which relies only on HTTP. It is strongly recommended to use HTTPS for all requests.

8.1 Discovery

There are no specific security considerations for discovery.

8.2 Subscriptions

First, subscribers SHOULD always favor the HTTPS URL for hubs (even if the URL is advertised as HTTP). Then the subscribers SHOULD use unique unguessable capability URLs for the callbacks, as well as make them available via HTTPS. Finally, subscribers SHOULD use a hub.secret when subscribing to allow signature of the content distribution. Hubs SHOULD enforce short lived hub.lease_seconds (10 days is a good default). When performing intent verification, the hub SHOULD use a random, single use hub.challenge.

8.3 Distribution

The Hub MUST use the exact callback used by the subscriber (including the use of HTTPS). Hubs MUST sign their requests using the hub.secret supplied by subscribers. Subscribers MUST perform the same signature mechanism and MUST discard notifications which failed this test.

8.4 Security and Privacy Review

These questions provide an overview of security and privacy considerations for this specification as guided by Self-Review Questionnaire: Security and Privacy ([security-privacy-questionnaire]).

Does this specification deal with personally-identifiable information?: The only potentially personally-identifiable information involved are topic and callback URLs.
Does this specification deal with high-value data?: No, there is no authentication or other credentials involved.
Does this specification introduce new state for an origin that persists across browsing sessions?: No.
Does this specification expose persistent, cross-origin state to the web?: The WebSub subscriber should create a resource with information about the topic to which it subscribes.
Does this specification expose any other data to an origin that it doesn't currently have access to?: No.
Does this specification enable new script execution/loading mechanisms?: No.
Does this specification allow an origin access to a user's location?: No.
Does this specification allow an origin access to sensors on a user's device?: No.
Does this specification allow an origin access to aspects of a user's local computing environment?: No.
Does this specification allow an origin access to other devices?: No.
Does this specification allow an origin some measure of control over a user agent's native UI?: No.
Does this specification expose temporary identifiers to the web?: No.
Does this specification distinguish between behavior in first-party and third-party contexts?: No.
How should this specification work in the context of a user agent's "incognito" mode?: WebSub is a server to server protocol, in which "incognito" mode does not have a meaning.
Does this specification persist data to a user's local device?: No.
Does this specification allow downgrading default security characteristics?: No.

A. Change Log

This section is non-normative.

A.1 Changes from 24 November WD to this version

Clarified wording on supported algorithms for authenticated distribution

Only allow <link> tags in the HTML <head> element

Added conformance criteria and CR exit criteria

Added examples of discovery request and response

Added example of using different rel=self URLs to support content negotiation

Added a security considerations section

Updated references to [WHATWG-URL] instead of HTML 4

Replaced abstract with updated description

A.2 Changes from 20 October FPWD to 24 November 2016

Added informative reference to previous versions of the spec, PubSubHubbub 0.3 and 0.4

Split discovery section into separate publisher and subscriber sections

Clarify that publishers can use any available discovery method, and subscribers must support all

Marked host-meta discovery method At Risk due to no known implementations, and fixed reference to Host Meta spec instead of the previous reference to Well-Known

Recommend using Capability URLs as the subscriber's callback URLs for security and authenticating the notification delivery

Recommend not reusing callback URLs on subscription renewals

Clarify that the hub.topic must be the self URL that was discovered

Dropped the recommendation of including the From header on subscription requests

Clarify that the hub response to subscription requests must not depend on the verification or validation

Hubs must enforce lease expirations

Clarify that the notification payload should contain the full contents of the topic URL

Recommend that hubs should retry failed notification delivery up to self-imposed limits

Clarify that future defined signature methods in FIPS PUB 180-4 are allowed

Added informative note about the use of GET vs POST at the callback URL

Renamed the spec to WebSub

B. References

B.1 Normative references

[Encoding]: Encoding Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://encoding.spec.whatwg.org/
[HTML5]: HTML5. Ian Hickson; Robin Berjon; Steve Faulkner; Travis Leithead; Erika Doyle Navara; Theresa O'Connor; Silvia Pfeiffer. W3C. 28 October 2014. W3C Recommendation. URL: https://www.w3.org/TR/html5/
[RFC2119]: Key words for use in RFCs to Indicate Requirement Levels. S. Bradner. IETF. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
[RFC2818]: HTTP Over TLS. E. Rescorla. IETF. May 2000. Informational. URL: https://tools.ietf.org/html/rfc2818
[RFC5988]: Web Linking. M. Nottingham. IETF. October 2010. Proposed Standard. URL: https://tools.ietf.org/html/rfc5988
[RFC6151]: Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms. S. Turner; L. Chen. IETF. March 2011. Informational. URL: https://tools.ietf.org/html/rfc6151
[RFC6415]: Web Host Metadata. E. Hammer-Lahav, Ed.; B. Cook. IETF. October 2011. Proposed Standard. URL: https://tools.ietf.org/html/rfc6415
[RFC7230]: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. R. Fielding, Ed.; J. Reschke, Ed.. IETF. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7230
[RFC7231]: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. R. Fielding, Ed.; J. Reschke, Ed.. IETF. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7231
[WHATWG-URL]: URL Standard. Anne van Kesteren. WHATWG. Living Standard. URL: https://url.spec.whatwg.org/

B.2 Informative references

[PubSubHubbub-Core-0.3]: PubSubHubbub Core 0.3 -- Working Draft. B. Fitzpatrick; B. Slatkin; M. Atkins.URL: https://pubsubhubbub.github.io/PubSubHubbub/pubsubhubbub-core-0.3.html
[PubSubHubbub-Core-0.4]: PubSubHubbub Core 0.4 -- Working Draft. B. Fitzpatrick; B. Slatkin; M. Atkins; J. Genestoux.URL: https://pubsubhubbub.github.io/PubSubHubbub/pubsubhubbub-core-0.4.html
[RFC4287]: The Atom Syndication Format. M. Nottingham, Ed.; R. Sayre, Ed.. IETF. December 2005. Proposed Standard. URL: https://tools.ietf.org/html/rfc4287
[RSS-2.0]: RSS 2.0. Dave Winer. RSS Board. Stable. URL: http://www.rssboard.org/rss-specification
[capability-urls]: Good Practices for Capability URLs. Jeni Tennison. W3C. 18 February 2014. W3C Working Draft. URL: https://www.w3.org/TR/capability-urls/
[security-privacy-questionnaire]: Self-Review Questionnaire: Security and Privacy. Mike West. W3C. 10 December 2015. W3C Note. URL: https://www.w3.org/TR/security-privacy-questionnaire/

WebSubの仕様 日本語版