W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Limiting requests from the internet to the intranet.

From: Chris Palmer <palmer@google.com>
Date: Wed, 6 Jan 2016 14:06:21 -0800
Message-ID: <CAOuvq23+242gxdJbFT_Bjj4DEH1vP7C2qv5iw-jbuP0Q75x83g@mail.gmail.com>
To: "Oda, Terri" <terri.oda@intel.com>
Cc: Mike West <mkwst@google.com>, Richard Barnes <rbarnes@mozilla.com>, Erik Nygren <erik+w3@nygren.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Brian Smith <brian@briansmith.org>, Ryan Sleevi <sleevi@google.com>, Justin Schuh <jschuh@google.com>, Devdatta Akhawe <dev@dropbox.com>, Anne van Kesteren <annevk@annevk.nl>, lee@asgard.org
On Wed, Jan 6, 2016 at 2:04 PM, Oda, Terri <terri.oda@intel.com> wrote:

Just to add another data point: I know some of Intel's products use the
> Pebble-like scenario and have been told that blocking would be a
> significant problem for some of our groups.  It most recently came up in
> discussions of RealSense 3d camera support, and I suspect some of the
> projects involve relatively new tech hardware that doesn't yet have
> standards for communication, and the teams involved were hoping to use web
> APIs to make things easier for developers.
>
> I can ask around internally for more information beyond "yes this is a
> thing that we use and removing it would be a hardship" if people are
> interested in more details.
>

The proposal at this point is not to remove it, but to require your Real
Sense cameras to opt in to being contacted by public web origins.

Of course, your cameras should also actually be hardened against the
attacks that opting in makes possible: SQL injection, shell injection,
CSRF, ...
Received on Wednesday, 6 January 2016 22:06:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC