RE: NSD API security

I wonder what should be added/changed to the NSD API spec to make CORS work.
A web page can already try to scan the local network through GET requests.
If a local device enables  '*' CORS, a web page can already interact with it.
 Y

> -----Original Message-----
> From: Dominique Hazael-Massieux [mailto:dom@w3.org]
> Sent: vendredi 20 septembre 2013 10:19
> To: Rich Tibbett
> Cc: Giuseppe Pascale; FABLET Youenn; public-device-apis@w3.org; public-
> web-and-tv
> Subject: Re: NSD API security
> 
> Le vendredi 20 septembre 2013 à 17:28 +1000, Rich Tibbett a écrit :
> > So there are a number of directions we could take this in:
> >
> > 1. Focus the specification around a CORS-only solution. CORS is an
> > accepted mechanism to allow cross-origin communication on the web and
> > could work well in the local network environment also. The problem
> > with adopting a CORS-only approach is we have zero devices currently
> > ready to step in to this brave new world with us. A specification that
> > allows you to connect with precisely zero network services will not be
> > useful.
> 
> I think that no matter what, the spec should support a CORS-based approach.
> 
> > 2. Support whitelisting of specific local network services in the user
> > agent, at the user's request to enable communication with those
> > services. Even if we went with a CORS-only approach (see (1.) above),
> > this could be a practical fallback to support existing/legacy network
> > services. This would provide non-CORS-enabled services with the same
> > privileges as CORS-enabled services from the user agent without the
> > service itself needing to support CORS implicitly (as also proposed in
> > the current NSD API specification).
> 
> I support the idea (at least in theory — it would remain to be seen whether
> any user agent would feel confident to support such a whitelist); but given
> that this is an exception mechanism, I'm not even sure it needs to be
> specified —  since the user agent is ultimately responsible for managing the
> same origin policy, user-specified exceptions to that policy (which such a
> whitelist would be) seem beyond what we need to define for interoperability.
> Or did you have in mind some specific aspects that would need to be spec-d
> here?
> 
> Dom

Received on Friday, 20 September 2013 09:20:26 UTC