Request for feedback from Web Security IG: Presentation API WD

Hello Web Security IG,

The Second Screen Working Group has published an updated Working Draft 
of its Presentation API, which enables web content to access external 
presentation-type displays and use them for presenting web content:

  http://www.w3.org/TR/presentation-api/

The group would like to draw the attention of this group to this working 
draft and request feedback on a couple of security issues.

Please note the group got in touch with the TAG on these issues, see 
thread at:

  https://lists.w3.org/Archives/Public/www-tag/2015Jul/0001.html

The main issue is with the specification of security requirements for 
the messaging channel. As much as possible, the Presentation API will 
remain agnostic of the protocol used for the messaging channel as long 
as it is capable of carrying DOMString payloads in a reliable and 
in-order fashion. A user agent could perhaps communicate with the second 
device using the WebSockets protocol or a WebRTC data channel.

However, when the controlling page is loaded in a secure context, the 
spec should set some guarantees of message confidentiality and 
authenticity ("only secure WebSockets"). Do you have suggestions on ways 
to specify security requirements in a generic manner?

See relevant discussion in:
https://github.com/w3c/presentation-api/issues/80


More generically, we invite you to check the initial security and 
privacy considerations section and let us know about comments and 
suggestions that you might have.

See evaluation in:
https://github.com/w3c/presentation-api/issues/45

Thanks,
Francois Daoust, Staff Contact
Second Screen Presentation Working Group

Received on Wednesday, 1 July 2015 14:48:00 UTC