- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Mon, 12 Aug 2013 12:56:32 +0100
- To: "public-webrtc@w3.org" <public-webrtc@w3.org>
Hi, I've a question about this function. [1] If I've read it right, it allows a site to tell a browser to use a given IdP, which sounds useful. However, what if that site isn't nice or has been hacked and e.g. tells a browser to use paypa1.com (or some other look-alike/cousin domain)? That'd seem to be a nice phishing vector. Perhaps section 8.2.2 should contain a MUST for browsers to do something special in the chrome for a provider value that its never seen before? Or, are there other mitigations that'd avoid or detect the problem? I also wondered about how i18n is handled when a DOMString is interpreted as a domain name. That's documented somewhere else I guess and shouldn't be here, but maybe a reference would be a good idea (it'd help me at least). Apologies in advance if this has been discussed - I didn't see it in the (voluminous:-) archive. Cheers, S. PS: I may have more questions, we're using webrtc as a case study in a small FP7 security project. [2] If there're areas of the spec that could use some more security eyeballs, then feel free to point me at those (offlist I guess). [1] http://dev.w3.org/2011/webrtc/editor/webrtc.html#rtcpeerconnection-interface-extensions-3 [2] http://www.strews.eu/
Received on Monday, 12 August 2013 11:56:57 UTC