- From: Kostiainen, Anssi <anssi.kostiainen@intel.com>
- Date: Fri, 7 Feb 2014 13:14:45 +0000
- To: "Rottsches, Dominik" <dominik.rottsches@intel.com>, Anton Vayvod <avayvod@google.com>
- CC: "public-webscreens@w3.org" <public-webscreens@w3.org>
On 06 Feb 2014, at 18:21, Rottsches, Dominik <dominik.rottsches@intel.com> wrote: > Hi Anton, > >> On 06 Feb 2014, at 17:53, Kostiainen, Anssi <anssi.kostiainen@intel.com> wrote: >> >>> On 06 Feb 2014, at 17:23, Anton Vayvod <avayvod@google.com> wrote: >>> >>>> yes, I meant the selection dialog that the UA shows to the user. >>> >>> This would be problematic as it would enable spoofing attacks. >> >> Could you describe the attack you have in mind, please? > > What I think he means here is that the page could inject device names that would be or trying to match the the ones you physically have at home and potentially try to trick the user into redirecting the stream elsewhere. > > Generally, allowing data originating from JS or the content into the Browser chrome is risky, since there are different concepts of the user's trust in what happens on the page level and what happens on the Browser UI level. Thanks Dominik, this was my concern exactly. -Anssi
Received on Friday, 7 February 2014 13:15:17 UTC