Re: ISSUE-3: Security concerns around Home Networking APIs from Russell Berkoff on 2011-04-26 (public-web-and-tv@w3.org from April 2011)

From: Russell Berkoff <r.berkoff@sisa.samsung.com>
Date: Tue, 26 Apr 2011 06:35:24 -0700
To: <public-web-and-tv@w3.org>
Message-ID: <DE816F5C9365B24AAD4935AC1E9A0748018B4BBC@hermes.sisa.samsung.com>

[Samsung] Security/Privacy for UPnP/DLNA HN devices was a significant concern during the development of CEA-2014-B(Remote UI). 

The following measures were implemented:

1. By default pages that accessed HN devices were opened in "sandbox" mode where access to services such as cookies, XHR and Forms that could be used to upload information outside the home were restricted. The page could detect if the browser was in this mode. The UA could designate "trusted" domains where HN pages were permitted full access to UA facilities. 

2. HN devices were protected by user-assigned passwords that were stored/managed by the UA. Pages accessing HN devices would be required to provide the correct password to the UA before it would "unlock" page access to HN Methods. Note some methods were non-password protected to allow basic device discovery to take place. The UA was required to expire passwords in which case the page would need to resubmit password to contine to have access to the device.

Received on Tuesday, 26 April 2011 13:36:08 UTC