<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><br></div>I also don't think it should be added to WebKit. <div><br></div><div>In addition to other reasons stated, the spec has obvious severe security risks which are not adequately addressed by a permissions dialog.</div><div><br></div><div><a href="https://dvcs.w3.org/hg/dap/raw-file/07345c55f11f/discovery-api/Overview.html#communicating-with-a-networked-service">Section 7</a> of the spec allows a webpage to bypass the same-origin security model to communicate with "discovered" services via HTTP. Discovery is via ZeroConf, UPnP or DIAL. Consider that this will include things like printers, routers, intranet servers, and other devices where access to the http interface is potentially very dangerous. </div><div><br></div><div>The spec is supposedly designed for "media servers", but nothing limits it to that. </div><div><br></div><div>In addition to the obviously dangerous cases (reconfiguring your home router), most devices intended for use on a home network or firewalled intranet have many security vulnerabilities and could be exploited by throwing untrusted data at them.<br><div><br></div><div>Regards,</div><div>Maciej</div><div><br><div><div>On Sep 6, 2013, at 2:21 PM, Benjamin Poulain <<a href="mailto:benjamin@webkit.org">benjamin@webkit.org</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=windows-1252" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">+1<br>
<br>
After the concerns raised, I am not convinced the feature fits
into the engine.<br>
I am also not convinced this needs WebKit support to be
implemented.<br>
<br>
Benjamin<br>
<br>
<br>
On 9/6/13 10:39 AM, Anders Carlsson wrote:<br>
</div>
<blockquote cite="mid:C4B4CDEE-5E61-46DE-B76D-D1ED1D59E085@apple.com" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
I agree.
<div><br>
</div>
<div>This also seems like it’s something that could be implemented
by a client application using our JS object extension hooks
without touching WebKit at all.</div>
<div><br>
</div>
<div>- Anders</div>
<div><br>
<div>
<div>On Sep 6, 2013, at 10:30 AM, Simon Fraser <<a moz-do-not-send="true" href="mailto:simon.fraser@apple.com">simon.fraser@apple.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">Perhaps before we
spend any more time discussing the security implications
of Network Service Discovery, we should decide whether it
fits with the goals of the WebKit project:
<div><br>
</div>
<div><a moz-do-not-send="true" href="https://www.webkit.org/projects/goals.html">https://www.webkit.org/projects/goals.html</a></div>
<div><br>
</div>
<div>It’s not at all clear to me that it does.</div>
<div><br>
</div>
<div>Simon</div>
<div><br>
<div>
<div>On Sep 6, 2013, at 9:59 AM, Oliver Hunt <<a moz-do-not-send="true" href="mailto:oliver@apple.com">oliver@apple.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;"><br>
<div>
<div>On Sep 6, 2013, at 9:44 AM, youenn fablet
<<a moz-do-not-send="true" href="mailto:youennf@gmail.com">youennf@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div dir="ltr">Hi Ryosuke,
<div>
<div><br>
</div>
<div>The two points you are mentioning
make sense to me.</div>
<div> <br>
</div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US"><p>For starters, most of users
wouldn't even know what a local
network is; let alone what
discovering media sources, etc...
mean.</p>
</div>
</blockquote>
<div>
Most users may not be able to
understand what means “discover local
network DACP servers”.</div>
</div>
<div>But if a user is requested to
grant/deny access to “Bob music library”
service (the service being a DACP
server), the situation seems getting
better.</div>
<div>The spec is a work in progress and
may be improved.</div>
</div>
</div>
</blockquote>
<div><br>
</div>
</div>
For the sake of argument let's say this
"discovery" is allowed to occur. How do you talk
to "Bob music library" without the web page
sending raw data to/from the DACP server?
<div><br>
</div>
<div>--Oliver</div>
</div>
_______________________________________________<br>
webkit-dev mailing list<br>
<a moz-do-not-send="true" href="mailto:webkit-dev@lists.webkit.org">webkit-dev@lists.webkit.org</a><br>
<a moz-do-not-send="true" href="https://lists.webkit.org/mailman/listinfo/webkit-dev">https://lists.webkit.org/mailman/listinfo/webkit-dev</a><br>
</blockquote>
</div>
<br>
</div>
</div>
_______________________________________________<br>
webkit-dev mailing list<br>
<a moz-do-not-send="true" href="mailto:webkit-dev@lists.webkit.org">webkit-dev@lists.webkit.org</a><br>
<a class="moz-txt-link-freetext" href="https://lists.webkit.org/mailman/listinfo/webkit-dev">https://lists.webkit.org/mailman/listinfo/webkit-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
_______________________________________________<br>webkit-dev mailing list<br><a href="mailto:webkit-dev@lists.webkit.org">webkit-dev@lists.webkit.org</a><br>https://lists.webkit.org/mailman/listinfo/webkit-dev<br></blockquote></div><br></div></div></body></html>