[webkit-dev] Proposed feature: Network Service Discovery

Ryosuke Niwa rniwa at webkit.org
Sat Aug 31 15:35:12 PDT 2013

As far as I read the spec, websites can't probe the local network. The UAs
are supposed to do that periodically and expose the list of media services
they maintain when asked.

Having said that, I agree that I don't think asking the user whether it's
okay for a website to discover media sources or output in the local
network is not a good security model.

For starters, most of users wouldn't even know what a local network is; let
alone what discovering media sources, etc... mean.

It's also a very good way to finger-print users.  How many users have the same
set of speakers, etc... let alone the same set of media contents.

- R. Niwa

On Saturday, August 31, 2013, Alexey Proskuryakov wrote:

> 30.08.2013, в 15:53, Dirk Pranke <dpranke at chromium.org <javascript:_e({},
> 'cvml', 'dpranke at chromium.org');>> написал(а):
> The draft does contain the sentence "Web pages should not be able to
>> communicate with Local-networked Services that have not been authorized by
>> the user thereby maintaining the user's privacy" in the use cases section;
>> this should definite be emphasized and fleshed out, in a security section.
>> How does the user know what they're doing?  If there's an ad/unescaped
>> comment containing something malicious should a remote site be able to know
>> what services you have in your internal network?
> I'm not sure I understand your question, but I'm talking about the user
> having to opt-in to disclosing services, similar to the opt-ins we do for
> geolocation, media capture, local files, etc., e.g., "Spotify would like to
> know if you have any local media receivers", etc. ...
> "Would you like to install malware onto all networked printers in your
> office? Please click OK to get rid of this dialog, and finally start the
> browser game you want to play."
> - WBR, Alexey Proskuryakov

- R. Niwa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20130831/174a5d7a/attachment.html>

More information about the webkit-dev mailing list