Re: [web-nfc] Suggest a permission UI flow from Zoltan Kis via GitHub on 2015-08-20 (public-web-nfc@w3.org from August 2015)

From: Zoltan Kis via GitHub <sysbot+gh@w3.org>
Date: Thu, 20 Aug 2015 21:04:57 +0000
To: public-web-nfc@w3.org
Message-ID: <issue_comment.created-133172373-1440104696-sysbot+gh@w3.org>

I think you have stated it pretty clearly, and it's the same of what 
you said earlier.

> My concern with using a URL in the ID field as the way to indicate 
that an otherwise unsafe action is safe, is that the NDEF spec says 
that the ID field always includes a URL.

That is correct: if present, the ID field very likely contains a URL, 
and may match valid origins in many cases. Therefore you may say that 
using only the ID field is not good enough. But even in those cases, 
that URL was actually meant to *identify* the data, hence the usage 
would be similar and appropriate. If any side effects pop up, it would
 not affect the original native apps, but indeed may give access to 
the accidental origin match - which anyway is supposed to be linked 
with the data, so I see no threat other than now the data can be 
accessed via a browser and a site which was anyway connected to the 
payload.

If this is not good enough, then it means we must use at least one 
special record per message, which is web-nfc-specific, and which 
contains information about what origins can access the payload and 
how.

That has been designed quite early, and discarded in later versions, 
so we indeed went in circles. 

Now I have questions/issues concerning the mechanisms "on tags to 
indicate which actions are safe and which ones are not".

1. If the format is a "white list", should it be an explicit long list
 of distinct origins which are allowed to access the data, or could it
 be a list of URL patterns matching origins?

2. Do you think we need to make a difference between read and write 
access for the actions (meaning no prompts - otherwise the operations 
may complete with prompts).

3. In the actions, do we need to record a preference for allowing 
showing prompts or not? What is the default?

I would argue that at the moment we should start only with the 
following options:
- only pages with the same origin can access the data (by default), or
- any origin can access the data (the choice needs to be recorded in 
the tags)
- otherwise we prompt (or fail).

I have assumed this (and then we don't strictly need any web nfc 
specific record), but if you want an explicit format for controlling 
access, please give some explicit examples and suggestions.

-- 
GitHub Notif of comment by zolkis
See https://github.com/w3c/web-nfc/issues/3#issuecomment-133172373

Received on Thursday, 20 August 2015 21:04:59 UTC