- From: Titouan Rigoudy <notifications@github.com>
- Date: Wed, 29 Sep 2021 03:18:11 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/572/930043420@github.com>
> This is the reason why it would be good for some services to see them not as services, but as attached pseudo-devices (the printer case). Making sure I understand your concern correctly: 1. Certain devices will not be able to update and support CORS preflights, for example old printers 2. There should be a way for websites to request access to such devices that bypasses PNA restrictions If I've understood correctly, then I can certainly see your point. I have two reservations, however: 1. This mechanism would significantly reduce the incentive for devices to implement PNA proper. In other words, it seems advantageous for device maintainers (and disadvantageous for user security) to classify *all* services as pseudo-devices. 2. It begs the question: how do you identify a pseudo-device? IP address alone works to an extent, but is hardly fool-proof. mDNS names are not authenticated either, though one could argue that on the private network they should be relatively stable. > On the second point, I think there is a difference between the local network and the private networks you can reach, like corporate private networks. The pseudo-device use case makes sense only for local networks, not for corporate private networks, for example. Oh, so you propose allowing the pseudo-device attachment only work within the currently subnet(s)? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/572#issuecomment-930043420
Received on Wednesday, 29 September 2021 10:18:23 UTC