Re: [presentation-api] Authenticity of screen selection permission is problematic in insecure contexts from Mark Foltz via GitHub on 2017-01-30 (public-secondscreen@w3.org from January 2017)

From: Mark Foltz via GitHub <sysbot+gh@w3.org>
Date: Mon, 30 Jan 2017 19:15:51 +0000
To: public-secondscreen@w3.org
Message-ID: <issue_comment.created-276160625-1485803749-sysbot+gh@w3.org>

There are two other specific issues with allowing the presentation to 
be fetched from an insecure context.

1. The specific type of phishing attack mentioned in the spec [1] 
becomes possible for any attacker who can manipulate the resources 
fetched by the presentation page.

2. The user should expect that the presentation screen doesn't retain 
browsing state after the presentation is terminated.  In an insecure 
context, it's impossible to guarantee that browsing state isn't leaked
 to a third party.



-- 
GitHub Notification of comment by mfoltzgoogle
Please view or discuss this issue at 
https://github.com/w3c/presentation-api/issues/380#issuecomment-276160625
 using your GitHub account

Received on Monday, 30 January 2017 19:15:57 UTC