W3C home > Mailing lists > Public > public-device-apis@w3.org > October 2013

Re: NSD API security

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Thu, 03 Oct 2013 08:50:28 +0200
Message-ID: <1380783028.3371.5.camel@cumulustier>
To: Frederick.Hirsch@nokia.com
Cc: Youenn.Fablet@crf.canon.fr, bh526r@att.com, richt@opera.com, giuseppep@opera.com, public-device-apis@w3.org, public-web-and-tv@w3.org
Le jeudi 03 octobre 2013 à 01:28 +0000, Frederick.Hirsch@nokia.com a
écrit :
> The fundamental flaw is that one device has two purposes  allowing
> flaws from one to affect the other, yet this is also why it is sold
> and valued - the convenience, cost reduction, lower hardware
> footprint, easier management etc are also benefits.

One simple (but of course not 100% effective) solution would be for such
a dual serviced device to expose CORS headers only on the benign
service, and not on the security-sensitive one.

(if a bug in the benign service lets attack the sensitive one, of
course, this won't be of much use)

Dom
Received on Thursday, 3 October 2013 06:50:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:33:01 UTC