W3C home > Mailing lists > Public > public-secondscreen@w3.org > November 2016

Re: [presentation-api] Authenticity of screen selection permission is problematic in insecure contexts

From: Mark Foltz via GitHub <sysbot+gh@w3.org>
Date: Wed, 30 Nov 2016 20:18:40 +0000
To: public-secondscreen@w3.org
Message-ID: <issue_comment.created-263983429-1480537118-sysbot+gh@w3.org>
Regarding geolocation, the motivation posted to blink-dev was that 
geolocation returned privacy sensitive information, and should not be 
exposed to a MITM, which I totally agree with.  We don't believe the 
Presentation API returns the same kind of privacy sensitive 
information.

The Secure Contexts TR [1] was also referenced to deprecate insecure 
use of "Powerful Features."  However "Powerful Features" are not 
defined by that spec.  @mikewest is this the document that defines 
what Chrome considers to be powerful features? [2] Is there anything 
in the W3C space that is the equivalent?

Regarding the dialog, that seems an issue with all Web platform APIs 
that require user interaction: alert(), file uploads, printing, 
running plugins, etc.  I'd like to understand better if the intention 
of some folks is to deprecate all of these on insecure contexts, and 
can follow up internally within Chrome.

[1] https://www.w3.org/TR/secure-contexts/
[2] 
https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features



-- 
GitHub Notification of comment by mfoltzgoogle
Please view or discuss this issue at 
https://github.com/w3c/presentation-api/issues/380#issuecomment-263983429
 using your GitHub account
Received on Wednesday, 30 November 2016 20:18:48 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 November 2016 20:18:48 UTC