- From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- Date: Wed, 03 Aug 2011 19:50:46 +0200
- To: public-device-apis@w3.org
The following comment contains detailed information about a few issues that were identified during a recent security analysis of 13 W3C standards, organized by ENISA (European Network and Information Security Agency), and performed by the DistriNet Research Group (K.U. Leuven, Belgium). The complete report is available at http://www.enisa.europa.eu/html5 (*), and contains information about the process, the discovered vulnerabilities and recommendations towards improving overall security in the studied specifications. Issues -------- SYSINFO-SECURE-1.Monitoring Lifetime: The specification discusses a way to launch a background monitoring process, that invokes a callback handler if the location has changed. It briefly mentions that there is a maximum lifetime. The specification does not provide a cocnrete value for the maximum lifetime, nor does it provide any requirements for the lifetime of a monitor process. For instance, such a process should also terminate when the associated document no longer exists. SYSINFO-USER-1.Permission Nature: The specification does not impose that the nature of the permission (one-shot or monitoring) must be made clear when asking for consent. The difference between permission for one-shot access and launching a monitoring process is quite important. Additionally, stored one-shot permissions are very similar to the monitoring process! (*) HTML version of the report is available as well: https://distrinet.cs.kuleuven.be/projects/HTML5-security/ -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Wednesday, 3 August 2011 17:53:12 UTC