[webkit-dev] Proposed feature: Network Service Discovery

Dirk Pranke dpranke at chromium.org
Fri Aug 30 12:44:48 PDT 2013


On Fri, Aug 30, 2013 at 10:06 AM, Oliver Hunt <oliver at apple.com> wrote:

>
> On Aug 30, 2013, at 9:15 AM, Brendan Long <self at brendanlong.com> wrote:
>
> > On 08/29/2013 05:45 PM, Benjamin Poulain wrote:
> >> Can you explain a bit what it is for? What are the common use cases?
> > This would be useful for certain kinds of web apps. For example,a music
> website like Pandora or Spotify could allow users to include music on their
> local network. Or a service like Netflix could include local network movies
> (on networked hard drives, or DVR's) in their search results, and play them
> from the same interface.
> Here's my concern - if you say "a service like <x>" might want to search
> for something, that is better described as "a random website".  That may be
> something the user wants, alternatively it could be something evil.  It
> could also be something evil embedded in an ad on the site a user "trusts".
>
> My concern here is that as a web spec this essentially acts as a way for
> arbitrary web content from any source to perform a network scan of your
> local machine and get data about your internal network topology and
> services from inside your firewall.  That's a really scary concept to me.
>

While there are certainly security concerns that need to be  clearly
thought through and addressed, the spec isn't as broad as you make it
sound. It picks up services that are advertising themselves, after all; you
can't probe. (Unless you've noticed something in the spec I haven't; I've
scanned the spec, but not read it super-carefully).

Another use case for this is for devices like AppleTVs and ChromeCast ...
receivers advertise themselves on the local network, and the browser (and
browser-based apps) can identify available receivers that you can send
media to.

The draft does contain the sentence "Web pages should not be able to
communicate with Local-networked Services that have not been authorized by
the user thereby maintaining the user's privacy" in the use cases section;
this should definite be emphasized and fleshed out, in a security section.

-- Dirk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130830/3156fd0e/attachment.html>


More information about the webkit-dev mailing list