- From: Zoltan Kis via GitHub <sysbot+gh@w3.org>
- Date: Mon, 04 Nov 2019 08:56:24 +0000
- To: public-web-nfc@w3.org
What we need to ensure is the connection between the tag+URL and the NDEF data exposed to a site. For instance, in the following scenarion, - page 1 uses Web NFC, has a reader set up - a tag containing a bootstrap URL comes in range - a new page 2 is launched by the browser from the tag, exposing the tag data to it - but site 1 will also get the data since it has a reader set up. Only page 2 should be "connected" to the tag, if that has any meaning related to "trust" (we have not defined that yet). There is _some_ assumption there, since we "save" another tap before reading tap data, therefore going around the security policies that are in place for tags in general. At the moment we say tags integrity is not to be trusted, but with this use case, we need to clarify if the data and page have any trust relationship. What does it mean to have a `referrerNDEF` or something like that. I'd leave threat assessment to security people. This is not an argument against the feature, just a note that threat assessment must be done for such new features. -- GitHub Notification of comment by zolkis Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/429#issuecomment-549265655 using your GitHub account
Received on Monday, 4 November 2019 08:56:25 UTC