W3C home > Mailing lists > Public > public-nfc@w3.org > February 2015

Re: [nfc] Verify security model

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Wed, 18 Feb 2015 23:22:01 +0000
To: public-nfc@w3.org
Message-ID: <issue_comment.created-74970395-1424301720-sysbot+gh@w3.org>
I agree with all that with one nit. The user may trust 
https://toplevel.com/ to access their NFC tag, but not 
https://manufacturer.com/. It'd be nice if the protocol doesn't force 
everyone to send breadcrumbs back to the manufacturer. (Clearly the 
manufacturer can force it by only whitelisting themselves, but I don't
 want them to be able to use our spec as an excuse.)

Moving farther afield, we'd want something like [`<iframe 
allowfullscreen>`](https://html.spec.whatwg.org/multipage/embedded-content.html#attr-iframe-allowfullscreen)
 to let top-level pages explicitly forward their permission on to 
their iframes. @adrifelt is working on a more generic way to do this.

-- 
GitHub Notif of comment by jyasskin
See https://github.com/w3c/nfc/issues/76#issuecomment-74970395
Received on Thursday, 19 February 2015 00:12:57 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 19 February 2015 00:12:58 UTC