W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2013

RE: [discovery] DAP-ISSUE-131 Support UPnP device discovery by Device Type? (was RE: [discovery] Adding CORS to NSD API - proposal and issues)

From: Youenn Fablet <Youenn.Fablet@crf.canon.fr>
Date: Fri, 11 Oct 2013 16:15:31 +0000
To: "Igarashi, Tatsuya" <Tatsuya.Igarashi@jp.sony.com>, "Cathy.Chan@nokia.com" <Cathy.Chan@nokia.com>
CC: "public-device-apis@w3.org" <public-device-apis@w3.org>, "giuseppep@opera.com" <giuseppep@opera.com>, "richt@opera.com" <richt@opera.com>
Message-ID: <ACC41E833067BD4FB8084DEBA2D866BE2F5399FC@ADELE.crf.canon.fr>
> (2) Access control should be per UPnP device.

+1
Presenting devices is more meaningful from a user point of view than presenting individual services.
Maybe that guideline could be stated in the spec.

Also, disclosing one UPnP service to a web app means also disclosing all UPnP services of the UPnP device.
The web app can learn the control URLs of all services on the same device from the config field.
We could filter properly this field, but a smart attacker would probably be able to guess the URLs anyway.

Regards,
	Youenn
Received on Friday, 11 October 2013 16:16:20 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:01 UTC