- From: Kenneth Rohde Christiansen via GitHub <sysbot+gh@w3.org>
- Date: Wed, 19 Aug 2015 18:20:06 +0000
- To: public-web-nfc@w3.org
So yeah, you can use a native app to fake the origin/path (you cannot from a web app). I guess that there is a change that users might do that to bypass buying subscriptions etc from web sites - ie try to cheat the site, but the site can add tokens etc to the tag for avoid such cases. In that way it is not really a security issue. I guess the problem is if a person walks up to a bar and there is a place to tap the nfc reader and it says to enter the site and tap the nfc tag. Now the nfc tag is fake and it tricks the user into getting the site to read a fake tag. I am not really sure that is a big problem either. What the origin/path makes sure, is that random sites don't read info not made for them, so it protects the user for giving random sites access to data (unless the user manually goes and modifies the origin/path - but then the user knows what he is doing). I do think that is a pretty good protection of the user and his/her data. If you tap a tag by mistake, at least only the site intended to read it, will read it. Non web-tags are not safe in that sense, so we probably shouldn't allow random sites to get access to that info, without at least some consent from the user, ie. a prompt when the site watches for non web-tags. -- GitHub Notif of comment by kenchris See https://github.com/w3c/web-nfc/issues/3#issuecomment-132731147
Received on Wednesday, 19 August 2015 18:20:10 UTC