[whatwg] Device Element

Boris Zbarsky bzbarsky at MIT.EDU
Tue Jan 4 11:15:08 PST 2011


On 1/4/11 5:48 AM, Diogo Resende wrote:
> Flash is insecure because there's no security policies. It's similiar to
> the firefox feature to read files: you read all or you read none. That's
> not a good policy. Something similar to the geolocation would be better
> (this specific site/app can access this specific device).

The problem with adding more capabilities like this in an ad-hoc way is 
that it involves user trust, and worse yet it involves trust in things 
the user can't audit and won't realize they're trusting.

For example, say www.foo.com requests access to the user's USB devices. 
  If the user allows the request, then they are trusting that:

1) The site is not malicious (this is the part the user probably
    thinks about when deciding to trust).
2) The site is loaded securely (entirely over https:).  If not,
    there's no guarantee you're talking to the right site.
3) The site has no script-injection vulnerabilities.
4) The site won't be hacked.
5) All the user's CAs are aboveboard and not cooperating with the ISP
    to fake sites (not a given in some countries!).

There are likely a few other things being trusted here that I'm not 
thinking of; I can guarantee that typical users won't think of #3-5 
above, and many won't think of #2 above.

I realize that _you_ trust #2-4 about your own web site.  But frankly, 
history says I shouldn't thus trust your site....

Perhaps we need a stronger model where permission to access devices is 
granted not to an origin but to a particular script (with the hash of 
the script stored and permission denied on hash mismatch or something). 
  I don't know.  But granting blanket access to an entire origin seems 
questionable to me.

-Boris



More information about the whatwg mailing list