- From: Zoltan Kis via GitHub <sysbot+gh@w3.org>
- Date: Fri, 02 Jun 2017 06:58:49 +0000
- To: public-web-nfc@w3.org
> Android does not show the terminal, physical reader or whatever. You just get a notification when a card is near and you can send command like here NFC gives the ability to send NFCMessage. The problem - as Anders said - is that it's web sites that get the notifications and can run scripts using this API to start a transaction and transfer arbitrary data, not unlike a "remote SPI" interface. It is one thing that's a large exploit surface, but it's an even bigger problem that this attack surface is exposed to web pages, which in turn are also a large attack surface, and browsers have peculiar security model to deal with it, which might not be well suited in this case. In the best case I see this feature as being always behind the 'experimental' flag in a browser, which would restrict general usability. So Anders is right, and we need to do a more thorough analysis on whether and how could we expose this - but for now we need to focus on landing the current version. -- GitHub Notification of comment by zolkis Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/101#issuecomment-305706206 using your GitHub account
Received on Friday, 2 June 2017 06:58:55 UTC