Contact emails
mfo...@chromium.org just...@chromium.org markdav...@google.com
Spec
http://www.w3.org/TR/discovery-api/
Summary
The NSD API will allow discovering HTTP-based services advertised on the local network. Use of the API will require an explicit user permission grant. NSD can support more than one underlying discovery protocol (i.e. mDNS, SSDP, DIAL).
Motivation
There is currently no unified way for the web platform to discover local HTTP-based services. This will allow querying the network for available services from nearby devices. This will allow web pages to find and interact in a peer-to-peer fashion with local services.
Compatibility Risk
None at this point. There is an experimental implementation for Opera [1].
Ongoing technical constraints
None
Will this feature be supported on all five Blink platforms (Windows, Mac, Linux, Chrome OS and Android)?
Yes
OWP launch tracking bug?
Row on feature dashboard?
Yes, row 146.
Requesting approval to ship?
No
Have we done a security review on this? The API allows webpages to perform essentially arbitrary communication with TVs, routers, printers, webcams, etc on your LAN, most of which will have ancient insecure drivers, or won't ever have been hardened, since the manufacturers implicitly trusted other devices on your LAN (more than the public internet).
The spec talks about requiring "user authorization", but I struggle to see how we could explain to users the subtleties of making sure all devices on their LAN are up to date and suitably hardened.
Whitelisting devices is probably impractical, given the spec's very generic use cases. But we should consider requiring devices to opt-in to being accessible from the public web, rather like on Android we only enable WebGL on GPUs that implement the GL_ARB_robustness extension.
(The spec is also unusually low-level, and most usages require lots of ugly XML boilerplate according to whatever proprietary schema the specific device you are talking to has chosen; this doesn't feel very "webby". Many of the spec's use cases could be fulfilled by cleaner higher-level APIs, though they obviously wouldn't be as general purpose...)
On Fri, Aug 2, 2013 at 6:03 AM, John Mellor <joh...@chromium.org> wrote:Have we done a security review on this? The API allows webpages to perform essentially arbitrary communication with TVs, routers, printers, webcams, etc on your LAN, most of which will have ancient insecure drivers, or won't ever have been hardened, since the manufacturers implicitly trusted other devices on your LAN (more than the public internet).I don't believe arbitrary network communication is possible, only methods supported through existing protocols (http://, ws://, ftp://, ...)We will of course review this with the Chrome security and privacy teams before anything is released.
The spec talks about requiring "user authorization", but I struggle to see how we could explain to users the subtleties of making sure all devices on their LAN are up to date and suitably hardened.The user messaging will be very important to get right. I also want to address showing the authorization request in terms the user can understand, instead of (or in addition to) low-level uPnP or mDNS service names.
Whitelisting devices is probably impractical, given the spec's very generic use cases. But we should consider requiring devices to opt-in to being accessible from the public web, rather like on Android we only enable WebGL on GPUs that implement the GL_ARB_robustness extension.That's an idea to consider. As the update cycle for many of these devices is on the longer side, very few devices would be available to the API.
(The spec is also unusually low-level, and most usages require lots of ugly XML boilerplate according to whatever proprietary schema the specific device you are talking to has chosen; this doesn't feel very "webby". Many of the spec's use cases could be fulfilled by cleaner higher-level APIs, though they obviously wouldn't be as general purpose...)Yeah...XML...I think the spec is correctly focused on the discovery piece, leaving most of the Web-to-device protocol details to higher level libraries. I believe this will help when extending the API with additional types of discovery down the road.
Adam,Thanks for your feedback. (I'm working with Justin on this.) I'll summarize our response and plan.(1) Agreed that a longer discussion of the security and privacy implications of the API is warranted. Rich posted a section to the spec [1] that is a good starting point; I plan on working with the editors on minimizing the opportunities for harm, and minimizing the ability to fingerprint users of the API, which was brought up by the Chrome privacy team.
(2) Rich posted an update to the spec to address the language around garbage collection.
(3) I reviewed the last several months of list traffic and, to my ability to scan, haven't seen comments or commitment from other browser vendors. I'll let Rich fill in if there are any updates here. I think an effort to evangelize and get additional participation will be helpful to the spec as a whole.
Given the current set of feedback, we plan on working with the spec editors and coming back when we feel it is ready to implement.
On Fri, Aug 16, 2013 at 2:55 PM, mark a. foltz <mfo...@google.com> wrote:Adam,Thanks for your feedback. (I'm working with Justin on this.) I'll summarize our response and plan.(1) Agreed that a longer discussion of the security and privacy implications of the API is warranted. Rich posted a section to the spec [1] that is a good starting point; I plan on working with the editors on minimizing the opportunities for harm, and minimizing the ability to fingerprint users of the API, which was brought up by the Chrome privacy team.The requirements in that section sound like good goals, but it's not entirely clear to me what the risks of implementing this API are. For example, Maciej raised the question of whether this API provides access to vulnerable services that would otherwise be protected by the browser's same-origin policy:I haven't studied the API in enough detail to understand whether this concern is warranted. These are the sorts of issues that are important to understand about the feature.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
cc'ing Rick Tibett to the thread, as this is probably interesting to him.I find it a bit weird how the spec uses promises, so Rick should probably look at https://github.com/w3ctag/promises-guide
On Thu, Feb 20, 2014 at 11:10 PM, <fjhi...@gmail.com> wrote:
The W3C DAP WG published an updated working draft of Network Service Discovery today.This draft includes use of CORs, updates related to garbage collection issues and updated security and privacy consideration sections.I suspect this will help address comments in this thread, and any feedback would be welcome (preferably on DAP public list as noted in the draft)