There's multiple reasons to fail in the network layer rater than at the API: * A generic network error used for various reasons gives less information to an attacker. Browsers can still expose more granular information in the developer console. * A network error usually degrades more gracefully than an API starting to throw an exception it previously did not throw. There's less chance for the application to fall apart. * Architecturally, using the network layer for security checks reduces the risk of new APIs forgetting about some of them. Unknown schemes seem somewhat different though and it might well make sense to fail at the API boundary there to allow for feature testing. -- GitHub Notification of comment by annevk Please view or discuss this issue at https://github.com/w3c/webrtc-extensions/issues/52#issuecomment-728811972 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Tuesday, 17 November 2020 09:43:39 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 6 May 2023 21:19:52 UTC