W3C home > Mailing lists > Public > public-webrtc@w3.org > April 2014

Re: Security considerations - a proposal

From: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
Date: Wed, 23 Apr 2014 16:31:07 +0000
To: Martin Thomson <martin.thomson@gmail.com>, Harald Alvestrand <harald@alvestrand.no>
CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <1447FA0C20ED5147A1AA0EF02890A64B1CFD8BC0@ESESSMB209.ericsson.se>
On 23/04/14 18:21, Martin Thomson wrote:
> On 23 April 2014 04:53, Harald Alvestrand <harald@alvestrand.no> wrote:
>> Security considerations
> Most of these considerations are comm-sec issues that are already
> handled in various IETF documents.
>
> I've no fundamental objection to that, particularly as a set of
> pointers, but I think that the focus needs to be on the web platform.
> There are probably a bunch of web platform issues that we need to
> highlight.  One that springs to mind is the range of concerns around
> user consent or lack thereof.  Noting that a data channel can be
> created to an arbitrary peer without user consent, and why, might go
> some way to addressing a commonly raised, but invalid concern.  Less
> necessary, but in a similar vein, is discussion of access to
> processing and bandwidth resources.
>
> One such concern here is that this API enables the distribution of
> media to other entities.  
I don't think we're that different to the combination of the File API
and xhr/ws. If you trick the user to give the app access to a sensitive
file, the app can do more or less anything with it (including sending it
anywhere, to any domain). Still, it deserves a mentioning I guess.
> The security properties of the web demand
> that cross origin content be inaccessible to content.  Some text on
> that subject is probably appropriate.  (Yes, you can stick me with
> that last one, but it might take me a little while.)
>
>
Received on Wednesday, 23 April 2014 16:31:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 15:19:38 UTC