Security improvement - allow only known push services

[iMattPro]

Only allows users to subscribe to a known push service endpoint.
https://github.com/pushpad/known-push-services/blob/master/whitelist

[Copilot]

Pull request overview

This PR tightens Web Push subscription security by rejecting subscriptions whose endpoint host is not a known/allowed push service (based on the pushpad known-push-services whitelist), and wires in language support and tests for the new behavior.

Changes:

• Add endpoint host allowlist + wildcard-suffix matching and enforce it during subscription.
• Improve client-side subscribe flow to handle non-success responses and undo the browser subscription on failure.
• Add language loading during core.user_setup and introduce WEBPUSH_INVALID_ENDPOINT translations; expand PHPUnit coverage.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
ucp/controller/webpush.php	Adds allowlist validation for push endpoint hosts and rejects invalid endpoints on subscribe.
styles/all/template/webpush.js	Converts subscribe request handling to async/await and unsubscribes client-side on server-side rejection.
event/listener.php	Loads extension common language file during core.user_setup.
language/en/common.php	Adds English translation for WEBPUSH_INVALID_ENDPOINT.
language/ru/common.php	Adds Russian translation for WEBPUSH_INVALID_ENDPOINT.
tests/controller/controller_webpush_test.php	Updates subscription test endpoint and adds coverage for endpoint validation.
tests/event/listener_test.php	Updates subscribed-events expectation and tests language loading on setup.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.