- From: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
- Date: Wed, 23 Apr 2014 16:31:07 +0000
- To: Martin Thomson <martin.thomson@gmail.com>, Harald Alvestrand <harald@alvestrand.no>
- CC: "public-webrtc@w3.org" <public-webrtc@w3.org>
On 23/04/14 18:21, Martin Thomson wrote: > On 23 April 2014 04:53, Harald Alvestrand <harald@alvestrand.no> wrote: >> Security considerations > Most of these considerations are comm-sec issues that are already > handled in various IETF documents. > > I've no fundamental objection to that, particularly as a set of > pointers, but I think that the focus needs to be on the web platform. > There are probably a bunch of web platform issues that we need to > highlight. One that springs to mind is the range of concerns around > user consent or lack thereof. Noting that a data channel can be > created to an arbitrary peer without user consent, and why, might go > some way to addressing a commonly raised, but invalid concern. Less > necessary, but in a similar vein, is discussion of access to > processing and bandwidth resources. > > One such concern here is that this API enables the distribution of > media to other entities. I don't think we're that different to the combination of the File API and xhr/ws. If you trick the user to give the app access to a sensitive file, the app can do more or less anything with it (including sending it anywhere, to any domain). Still, it deserves a mentioning I guess. > The security properties of the web demand > that cross origin content be inaccessible to content. Some text on > that subject is probably appropriate. (Yes, you can stick me with > that last one, but it might take me a little while.) > >
Received on Wednesday, 23 April 2014 16:31:32 UTC