Re: Security considerations - a proposal

On 23/04/14 18:21, Martin Thomson wrote:
> On 23 April 2014 04:53, Harald Alvestrand <harald@alvestrand.no> wrote:
>> Security considerations
> Most of these considerations are comm-sec issues that are already
> handled in various IETF documents.
>
> I've no fundamental objection to that, particularly as a set of
> pointers, but I think that the focus needs to be on the web platform.
> There are probably a bunch of web platform issues that we need to
> highlight.  One that springs to mind is the range of concerns around
> user consent or lack thereof.  Noting that a data channel can be
> created to an arbitrary peer without user consent, and why, might go
> some way to addressing a commonly raised, but invalid concern.  Less
> necessary, but in a similar vein, is discussion of access to
> processing and bandwidth resources.
>
> One such concern here is that this API enables the distribution of
> media to other entities.  
I don't think we're that different to the combination of the File API
and xhr/ws. If you trick the user to give the app access to a sensitive
file, the app can do more or less anything with it (including sending it
anywhere, to any domain). Still, it deserves a mentioning I guess.
> The security properties of the web demand
> that cross origin content be inaccessible to content.  Some text on
> that subject is probably appropriate.  (Yes, you can stick me with
> that last one, but it might take me a little while.)
>
>


Received on Wednesday, 23 April 2014 16:31:32 UTC