RE: [discovery] DAP-ISSUE-131 Support UPnP device discovery by Device Type? (was RE: [discovery] Adding CORS to NSD API - proposal and issues) from Youenn Fablet on 2013-10-11 (public-device-apis@w3.org from October 2013)

From: Youenn Fablet <Youenn.Fablet@crf.canon.fr>
Date: Fri, 11 Oct 2013 16:15:31 +0000
To: "Igarashi, Tatsuya" <Tatsuya.Igarashi@jp.sony.com>, "Cathy.Chan@nokia.com" <Cathy.Chan@nokia.com>
CC: "public-device-apis@w3.org" <public-device-apis@w3.org>, "giuseppep@opera.com" <giuseppep@opera.com>, "richt@opera.com" <richt@opera.com>
Message-ID: <ACC41E833067BD4FB8084DEBA2D866BE2F5399FC@ADELE.crf.canon.fr>

> (2) Access control should be per UPnP device.

+1
Presenting devices is more meaningful from a user point of view than presenting individual services.
Maybe that guideline could be stated in the spec.

Also, disclosing one UPnP service to a web app means also disclosing all UPnP services of the UPnP device.
The web app can learn the control URLs of all services on the same device from the config field.
We could filter properly this field, but a smart attacker would probably be able to guess the URLs anyway.

Regards,
 Youenn

Received on Friday, 11 October 2013 16:16:20 UTC