- From: Kis, Zoltan <zoltan.kis@intel.com>
- Date: Tue, 7 Apr 2015 16:07:53 +0300
- To: Anders Rundgren <anders.rundgren.net@gmail.com>
- Cc: "public-nfc@w3.org" <public-nfc@w3.org>
- Message-ID: <CANrNqUfCDgByvHQWgDSJJm=+3jrM6CTErKCyFUE4vX6CwDXPcQ@mail.gmail.com>
On Tue, Apr 7, 2015 at 3:49 PM, Anders Rundgren < anders.rundgren.net@gmail.com> wrote: > 5. Security and Privacy Considerations > > User agents must not provide Web NFC API access to web apps without the > expressed permission of the user. User agents must acquire consent for > permission through a user interface for each call to the methods of this > API, unless a prearranged trust relationship applies. > > User agents may support prearranged trust relationships that do not > require such per-request user interfaces. > > ------ > > I'm probably naive and my knowledge of NFC is indeed not that great, but I > don't see that writing NDEF records to NFC would necessarily require any > security prompts. A short "flash" like in Android saying "NFC data is > available" should (IMO) be sufficient. > > Regarding adapter selection, I would remove that from APIs exposed to the > "Open Web" and for the extremely rare situation that there are actually are > multiple adapters, leave that choice to the user. > > *Generally I think user-side NFC and server-side NFC should live in > different specs, even if NFC in itself is "symmetric". User-side NFC may > be performed by native applications and doesn't necessary have a > web-interface at all.* > There is a separate document on this [1], some of the threats are described there. It would be great if you'd give feedback on this doc. I am planning an update with a second implementation possibility, landing soon (alternative to Section 8). [1] http://w3c.github.io/web-nfc/security-privacy.html Best regards, Zoltan
Received on Tuesday, 7 April 2015 13:08:21 UTC