Re: [presentation-api] Security and privacy considerations from Anssi Kostiainen via GitHub on 2015-09-29 (public-secondscreen@w3.org from September 2015)

From: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>
Date: Tue, 29 Sep 2015 12:10:13 +0000
To: public-secondscreen@w3.org
Message-ID: <issue_comment.created-144039610-1443528612-sysbot+gh@w3.org>

Good catch. We should note the probing issue in the Security and 
privacy considerations section. This was not touched upon by PING, 
likely since the spec does not mention DIAL explicitly. We could also 
consider amending the respective algorithms with a note. E.g. in 
[Monitor the list of available presentation displays][1]:

>NOTE
>The mechanism used to monitor presentation displays availability and 
determine the compatibility of a presentation display with a given URL
 is left to the user agent.

This could be amended with text that makes it clear that the given URL
 may reveal information about the user's system, e.g. apps installed 
to handle the specifically crafted URL. Also note the UAs may 
implement measures to mitigate that and how. If this warrants changes 
to the algorithm, we should look at that too.

[1]: 
https://w3c.github.io/presentation-api/#dfn-monitor-the-list-of-available-presentation-displays

-- 
GitHub Notif of comment by anssiko
See 
https://github.com/w3c/presentation-api/issues/45#issuecomment-144039610

Received on Tuesday, 29 September 2015 12:10:15 UTC