Re: [web-nfc] "typedef DOMString NDEFRecordType" is expected to be case sensitive or not? (#331) from sleevi via GitHub on 2019-09-12 (public-web-nfc@w3.org from September 2019)

From: sleevi via GitHub <sysbot+gh@w3.org>
Date: Thu, 12 Sep 2019 13:45:29 +0000
To: public-web-nfc@w3.org
Message-ID: <issue_comment.created-530833479-1568295928-sysbot+gh@w3.org>

Good question, @reillyeon . I got mentioned to this issue from https://chromium-review.googlesource.com/c/chromium/src/+/1791533 , which came from some confusion around Chromium's PSL API.

It's definitely better to *not* rely on the PSL here, and hopefully having shared that rant externally may help explain why :)

For all new features, we should be working to make sure they follow the Same Origin Policy. While I'm not too familiar with NFC, this does seem like it would create a side-channel that allows two different origins (`blah.intel.com` and `shop.intel.com`, for example) to exchange information, which is a bit opposite of where the Web is going, as it tries to move to private-by-default. Cookies remain the tricky part, but the more features we have to retrofit beyond eTLD+1, the harder it becomes to make a better, safer, web.

On the topic of safety, as that post calls out, using eTLD+1 is frequently "insecure by default". Accidentally leaking cookies, or allowing cookies to be pinned, is definitely bad, but it seems like it would be far worse to allow cross-origin reading of NFC state if someone didn't add themselves to the PSL.

Even if they did add themselves to the PSL, this creates cross-browser compatibility issues; if you were to try to move the NFC device from one browser to another, and they had different versions of the PSL, tags created in one might not be readable in another. Cookie sharing between browsers is very uncommon - usually only when/if you switch browsers and import settings from the old browsers - but I imagine using the same NFC device between different browsers, and even different devices, is an important goal!

If you're looking for stable, interoperable identifiers, then using the fully qualified domain name (... origin) is definitely the way to go here.

Happy to help however I can, @leonhsl and @kenchris, and apologies if I've misunderstood the feature or the motivations. If it's easier to setup a video chat or phone call or something for a higher bandwidth discussion, do let me know. I will try and follow up with @reillyeon to make sure I haven't missed anything.

--
GitHub Notification of comment by sleevi
Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/331#issuecomment-530833479 using your GitHub account

Received on Thursday, 12 September 2019 13:45:31 UTC