RE: [discovery] DAP-ISSUE-131 Support UPnP device discovery by Device Type? (was RE: [discovery] Adding CORS to NSD API - proposal and issues)

> (2) Access control should be per UPnP device.

Presenting devices is more meaningful from a user point of view than presenting individual services.
Maybe that guideline could be stated in the spec.

Also, disclosing one UPnP service to a web app means also disclosing all UPnP services of the UPnP device.
The web app can learn the control URLs of all services on the same device from the config field.
We could filter properly this field, but a smart attacker would probably be able to guess the URLs anyway.


Received on Friday, 11 October 2013 16:16:20 UTC