On Fri, Sep 25, 2015 at 9:14 PM, Jeffrey Yasskin <jyasskin@google.com>
wrote:
>
> Yeah, *browsers* should trust the origin information they find in a Web
> NFC message. I do think the spec should warn *website authors* that the
> information may have come from a malicious or pwned tag/peer, rather than
> their own manufacturer, and that the website should check the data before
> trusting it.
>
Yes, that could be done: "if data integrity is important for you, implement
it, we're just a transport".
However, it worries me that we still intend to base UA policies on fragile
information. Anyway that cannot be done by web pages, so one could call the
risk out of scope for the Web NFC API (with a note).
>
> Remember that we're trying to prevent web pages from writing to tags that
> don't already advertise an origin matching the page's origin. So pages can
> only attack "their own" devices.
>
> If the browser can restrict writes to own-origin tags, then pages can't
> rewrite a tag with different origin information.
>
And how the browser would write the tag the first time?
Do we require that 1. we only write an empty or "same-origin" tag?
Or could a page 2. write a "cross-origin" or "no-origin" tag against a user
prompt (powerful feature)?
Thanks,
Zoltan