Re: [web-nfc] Review fixes for #44.

On Fri, Sep 25, 2015 at 9:43 PM, Jeffrey Yasskin <jyasskin@google.com>
wrote:

> On Fri, Sep 25, 2015 at 11:35 AM, Kis, Zoltan <zoltan.kis@intel.com>
> wrote:
>
>>
>> If the browser can restrict writes to own-origin tags, then pages can't
>> rewrite a tag with different origin information.
>>
>> And how the browser would write the tag the first time?
>> Do we require that 1. we only write an empty or "same-origin" tag?
>> Or could a page 2. write a "cross-origin" or "no-origin" tag against a
>> user prompt (powerful feature)?
>>
>
> Writing the initial tag content might not work from the web API; maybe you
> need the manufacturer to initialize it with a trusted origin. Even allowing
> writes to empty tags diverges from the same-origin policy, and needs buy-in
> from the security folks.
>
>
At least we can start with this, and mention in a note (or actually the
Security doc) about what are some other possible policies.
I will make the necessary changes in the spec and the Security document.
Will keep PR #56 open for this (and will change the title).
Perhaps we should also update #3 based on this discussion.

I would appreciate input from Nathan concerning this discussion.

Best regards,
Zoltan

Received on Friday, 25 September 2015 19:26:26 UTC