- From: Zoltan Kis via GitHub <sysbot+gh@w3.org>
- Date: Thu, 13 Feb 2020 12:01:37 +0000
- To: public-web-nfc@w3.org
Is there some mitigation we should include in the Security section? AFAICT the current ones cover it, eventually we can make a Note explaining this specific case, since the wide publicity. Web NFC would serve Yubikey data to the page, which can choose to share it forward. IIUC the criticism is that Web NFC doesn't enforce a policy that would prevent that. Note that the group has investigated an origin policy for Web NFC, but that cannot be enforced because of the NFC standard (unless only encrypted content is used for Web NFC, with a special format - but then it becomes an application that is incompatible with the majority of NFC use cases). However, the threats of using Web NFC are not more than using NFC per se, as 3rd parties (pages) cannot access Web NFC data of the page using Web NFC, unless the page shares it (in which case the use case is _intended_ by the NFC data provider, otherwise it would have encrypted the data). Restricting further sharing is up to the permissions needed for the mechanisms for further sharing of the data obtained from Web NFC. This is as much the problem of the whole web platform as it is of Web NFC, so I don't see the reason to not offer the API for this particular reason (while a fetch API and others with similar problems exist where once obtained, the data could be arbitrarily shared further, without tracking the origin in continuation). -- GitHub Notification of comment by zolkis Please view or discuss this issue at https://github.com/w3c/web-nfc/issues/543#issuecomment-585722597 using your GitHub account
Received on Thursday, 13 February 2020 12:01:49 UTC