Re: Limiting requests from the internet to the intranet. from Chris Palmer on 2016-01-06 (public-webappsec@w3.org from January 2016)

From: Chris Palmer <palmer@google.com>
Date: Wed, 6 Jan 2016 14:06:21 -0800
To: "Oda, Terri" <terri.oda@intel.com>
Cc: Mike West <mkwst@google.com>, Richard Barnes <rbarnes@mozilla.com>, Erik Nygren <erik+w3@nygren.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Brian Smith <brian@briansmith.org>, Ryan Sleevi <sleevi@google.com>, Justin Schuh <jschuh@google.com>, Devdatta Akhawe <dev@dropbox.com>, Anne van Kesteren <annevk@annevk.nl>, lee@asgard.org
Message-ID: <CAOuvq23+242gxdJbFT_Bjj4DEH1vP7C2qv5iw-jbuP0Q75x83g@mail.gmail.com>

On Wed, Jan 6, 2016 at 2:04 PM, Oda, Terri <terri.oda@intel.com> wrote:

Just to add another data point: I know some of Intel's products use the
> Pebble-like scenario and have been told that blocking would be a
> significant problem for some of our groups.  It most recently came up in
> discussions of RealSense 3d camera support, and I suspect some of the
> projects involve relatively new tech hardware that doesn't yet have
> standards for communication, and the teams involved were hoping to use web
> APIs to make things easier for developers.
>
> I can ask around internally for more information beyond "yes this is a
> thing that we use and removing it would be a hardship" if people are
> interested in more details.
>

The proposal at this point is not to remove it, but to require your Real
Sense cameras to opt in to being contacted by public web origins.

Of course, your cameras should also actually be hardened against the
attacks that opting in makes possible: SQL injection, shell injection,
CSRF, ...

Received on Wednesday, 6 January 2016 22:06:51 UTC