[webkit-dev] WebKit position on Web NFC

Ryosuke Niwa rniwa at webkit.org
Wed Jan 22 01:23:29 PST 2020 

On Wed, Jan 22, 2020 at 12:23 AM François Beaufort ���� <
fbeaufort at google.com> wrote:

> Maciej said earlier they could provide more details if desired.
>

Well, you have to tell us what details you're looking for.

Would you have any alternative ideas that would help ordinary people
> understand the full security & privacy implications of granting NFC access?
>

I can't imagine how given most people don't know what NFC is.

I'll go off a bit on a tangent and say that one of the primary strengths of
the Web is that users can visit any website without the fear of their
computing devices being permanently compromised. Unfortunately, APIs such
as Web NFC, Web USB, Web Serial API would pose new threats for persistent
attacks on external devices exposed by those APIs. If we continue this
path, at some point (or maybe we're already there), the Web will turn into
any other non-Web platform where ordinary users can (or are advised to)
only use well known trusted applications or visit well known trusted
websites just like how native apps work today.

- R. Niwa

On Wed, Jan 22, 2020 at 8:15 AM Ryosuke Niwa <rniwa at webkit.org> wrote:
>
>> I'm not sure what specifics you're looking for but the issue is that we
>> don't believe permission prompt is sufficient mitigation. Ordinary people
>> don't understand the full security & privacy implications of granting NFC
>> access when asked.
>>
>> - R. Niwa
>>
>> On Wed, Jan 22, 2020 at 12:04 AM François Beaufort ���� <
>> fbeaufort at google.com> wrote:
>>
>>> Gentle ping.
>>>
>>> On Mon, Jan 13, 2020 at 12:56 PM François Beaufort ���� <
>>> fbeaufort at google.com> wrote:
>>>
>>>> As promised earlier, here's the intent to experiment thread URL we've
>>>> just sent to blink-dev:
>>>> https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/8bsAd-PsdbA
>>>>
>>>> It would be greatly appreciated if you could share specifics about your
>>>> decision.
>>>> Some alternative designs would also help moving this discussion forward.
>>>>
>>>> Thank you,
>>>> Francois.
>>>>
>>>> On Mon, Jan 6, 2020 at 10:48 PM Maciej Stachowiak <mjs at apple.com>
>>>> wrote:
>>>>
>>>>>
>>>>> We oppose this feature and will not implement it.
>>>>>
>>>>> We do not believe a permission prompt is a sufficient mitigation for
>>>>> the serious security and privacy risks raised by this specification. In
>>>>> addition, we think exposing direct hardware access to the web is a bad idea
>>>>> and compromises the device-independence of the web platform.
>>>>>
>>>>> We can provide more details if desired but it may take a few days.
>>>>>
>>>>> On Jan 5, 2020, at 11:40 PM, François Beaufort ���� <
>>>>> fbeaufort at google.com> wrote:
>>>>>
>>>>> Hello WebKit Dev folks,
>>>>>
>>>>> Following Maciej's invitation to send requests for positions on Web
>>>>> API proposals to webkit-dev, we would like to know WebKit's position on Web
>>>>> NFC: https://w3c.github.io/web-nfc/
>>>>>
>>>>> Web NFC aims to provide sites the ability to read and write to nearby
>>>>> NFC devices. The current scope is limited to NDEF, a lightweight binary
>>>>> message format. Low-level I/O operations with the ISO-DEP protocol and
>>>>> Host-based Card Emulation (HCE) are not supported.
>>>>>
>>>>> FYI, an intent to experiment will be posted soon on blink-dev.
>>>>> I'll update this webkit-dev thread with the URL when done.
>>>>>
>>>>> TAG Review: https://github.com/w3ctag/design-reviews/issues/461
>>>>> Chromestatus URL:
>>>>> https://www.chromestatus.com/features/6261030015467520
>>>>> Mozilla standards-positions:
>>>>> https://github.com/mozilla/standards-positions/issues/238
>>>>>
>>>>> Thank you,
>>>>> Francois.
>>>>> _______________________________________________
>>>>> webkit-dev mailing list
>>>>> webkit-dev at lists.webkit.org
>>>>> https://lists.webkit.org/mailman/listinfo/webkit-dev
>>>>>
>>>>>
>>>>> _______________________________________________
>>> webkit-dev mailing list
>>> webkit-dev at lists.webkit.org
>>> https://lists.webkit.org/mailman/listinfo/webkit-dev
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20200122/c9154e8d/attachment.htm>

More information about the webkit-dev mailing list