W3C home > Mailing lists > Public > public-webrtc@w3.org > August 2013

setIdentityProvider question

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Mon, 12 Aug 2013 12:56:32 +0100
Message-ID: <5208CD70.7010900@cs.tcd.ie>
To: "public-webrtc@w3.org" <public-webrtc@w3.org>

Hi,

I've a question about this function. [1]

If I've read it right, it allows a site to tell a browser to use
a given IdP, which sounds useful.

However, what if that site isn't nice or has been hacked and e.g.
tells a browser to use paypa1.com (or some other look-alike/cousin
domain)? That'd seem to be a nice phishing vector.

Perhaps section 8.2.2 should contain a MUST for browsers to do
something special in the chrome for a provider value that its
never seen before? Or, are there other mitigations that'd avoid
or detect the problem?

I also wondered about how i18n is handled when a DOMString is
interpreted as a domain name. That's documented somewhere else
I guess and shouldn't be here, but maybe a reference would be
a good idea (it'd help me at least).

Apologies in advance if this has been discussed - I didn't see
it in the (voluminous:-) archive.

Cheers,
S.

PS: I may have more questions, we're using webrtc as a case
study in a small FP7 security project. [2] If there're areas
of the spec that could use some more security eyeballs, then
feel free to point me at those (offlist I guess).

[1]
http://dev.w3.org/2011/webrtc/editor/webrtc.html#rtcpeerconnection-interface-extensions-3

[2] http://www.strews.eu/
Received on Monday, 12 August 2013 11:56:57 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:35 UTC