W3C home > Mailing lists > Public > public-device-apis@w3.org > April 2015

RE: [W3C TCP and UDP Socket API]: Status and home for this specification

From: Domenic Denicola <d@domenic.me>
Date: Wed, 1 Apr 2015 14:15:45 +0000
To: "Nilsson, Claes1" <Claes1.Nilsson@sonymobile.com>, 'Anne van Kesteren' <annevk@annevk.nl>
CC: "public-sysapps@w3.org" <public-sysapps@w3.org>, public-webapps <public-webapps@w3.org>, Device APIs Working Group <public-device-apis@w3.org>, Domenic Denicola <domenic@domenicdenicola.com>, "slightlyoff@chromium.org" <slightlyoff@chromium.org>, "yasskin@gmail.com" <yasskin@gmail.com>
Message-ID: <CY1PR0501MB13694BE4454A65FF7775C853DFF30@CY1PR0501MB1369.namprd05.prod.outlook.com>
This distinction between user permission and general permission is key, I think.

For example, I could naively imagine something like the browser auto-granting permission if the requested remoteAddress is equal to the IP address of the origin executing the API. Possibly with a pre-flight request that checks e.g. /.well-known/tcp-udp-permission-port-<remotePort> on that origin for a header to ensure the server is cooperative. (But I am sure there are security people standing by to tell me how this is very naive...) The async permissions style is flexible enough to allow any such techniques to come in to play.

-----Original Message-----
From: Nilsson, Claes1 [mailto:Claes1.Nilsson@sonymobile.com] 
Sent: Wednesday, April 1, 2015 09:58
To: 'Anne van Kesteren'
Cc: public-sysapps@w3.org; public-webapps; Device APIs Working Group; Domenic Denicola; slightlyoff@chromium.org; yasskin@gmail.com
Subject: RE: [W3C TCP and UDP Socket API]: Status and home for this specification

Hi Anne,

This is a misunderstanding that probably depends on that I used the word "permission", which people associate with "user permission". User permissions are absolutely not enough to provide access to this API. However, work is ongoing in the Web App Sec WG that may provide basis for a security model for this API. Please read section 4, http://www.w3.org/2012/sysapps/tcp-udp-sockets/#security-and-privacy-considerations. 

I am trying to get to a point to see if a TCP and UDP Socket is possible to standardize taking the changed assumption into consideration, i.e. there will be no W3C web system applications.

BR
  Claes


Claes Nilsson
Master Engineer - Web Research
Advanced Application Lab, Technology

Sony Mobile Communications
Tel: +46 70 55 66 878
claes1.nilsson@sonymobile.com

sonymobile.com



> -----Original Message-----
> From: Anne van Kesteren [mailto:annevk@annevk.nl]
> Sent: den 1 april 2015 11:58
> To: Nilsson, Claes1
> Cc: public-sysapps@w3.org; public-webapps; Device APIs Working Group; 
> Domenic Denicola; slightlyoff@chromium.org; yasskin@gmail.com
> Subject: Re: [W3C TCP and UDP Socket API]: Status and home for this 
> specification
> 
> On Wed, Apr 1, 2015 at 11:22 AM, Nilsson, Claes1 
> <Claes1.Nilsson@sonymobile.com> wrote:
> > A webapp could for example request permission to create a TCP
> connection to a certain host.
> 
> That does not seem like an acceptable solution. Deferring this to the 
> user puts the user at undue risk as they cannot reason about this 
> question without a detailed understanding of networking.
> 
> The best path forward here would still be standardizing some kind of 
> public proxy protocol developers could employ:
> 
>   https://annevankesteren.nl/2015/03/public-internet-proxy

> 
> 
> --
> https://annevankesteren.nl/


Received on Wednesday, 1 April 2015 14:16:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC