- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Fri, 25 Sep 2015 11:43:08 -0700
- To: "Kis, Zoltan" <zoltan.kis@intel.com>
- Cc: Anssi Kostiainen via GitHub <sysbot+gh@w3.org>, "Web NFC (W3C)" <public-web-nfc@w3.org>
- Message-ID: <CANh-dXn6xDDT7BK1ogLTZ1EkeddD8pbVSdgBSRv0178FdJiHZA@mail.gmail.com>
On Fri, Sep 25, 2015 at 11:35 AM, Kis, Zoltan <zoltan.kis@intel.com> wrote: > > On Fri, Sep 25, 2015 at 9:14 PM, Jeffrey Yasskin <jyasskin@google.com> > wrote: > >> >> Yeah, *browsers* should trust the origin information they find in a Web >> NFC message. I do think the spec should warn *website authors* that the >> information may have come from a malicious or pwned tag/peer, rather than >> their own manufacturer, and that the website should check the data before >> trusting it. >> > > Yes, that could be done: "if data integrity is important for you, > implement it, we're just a transport". > However, it worries me that we still intend to base UA policies on fragile > information. Anyway that cannot be done by web pages, so one could call the > risk out of scope for the Web NFC API (with a note). > > >> >> Remember that we're trying to prevent web pages from writing to tags that >> don't already advertise an origin matching the page's origin. So pages can >> only attack "their own" devices. >> >> If the browser can restrict writes to own-origin tags, then pages can't >> rewrite a tag with different origin information. >> > > And how the browser would write the tag the first time? > Do we require that 1. we only write an empty or "same-origin" tag? > Or could a page 2. write a "cross-origin" or "no-origin" tag against a > user prompt (powerful feature)? > Writing the initial tag content might not work from the web API; maybe you need the manufacturer to initialize it with a trusted origin. Even allowing writes to empty tags diverges from the same-origin policy, and needs buy-in from the security folks. Jeffrey
Received on Friday, 25 September 2015 18:43:55 UTC