W3C home > Mailing lists > Public > public-secondscreen@w3.org > January 2017

Re: [presentation-api] Authenticity of screen selection permission is problematic in insecure contexts

From: Mark Foltz via GitHub <sysbot+gh@w3.org>
Date: Mon, 30 Jan 2017 19:15:51 +0000
To: public-secondscreen@w3.org
Message-ID: <issue_comment.created-276160625-1485803749-sysbot+gh@w3.org>
There are two other specific issues with allowing the presentation to 
be fetched from an insecure context.

1. The specific type of phishing attack mentioned in the spec [1] 
becomes possible for any attacker who can manipulate the resources 
fetched by the presentation page.

2. The user should expect that the presentation screen doesn't retain 
browsing state after the presentation is terminated.  In an insecure 
context, it's impossible to guarantee that browsing state isn't leaked
 to a third party.



-- 
GitHub Notification of comment by mfoltzgoogle
Please view or discuss this issue at 
https://github.com/w3c/presentation-api/issues/380#issuecomment-276160625
 using your GitHub account
Received on Monday, 30 January 2017 19:15:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:19:02 UTC