On 09/06/2013 10:59 AM, Oliver Hunt wrote: > On Sep 6, 2013, at 9:44 AM, youenn fablet <youe...@gmail.com > <mailto:youe...@gmail.com>> wrote: >> >> For starters, most of users wouldn't even know what a local >> network is; let alone what discovering media sources, etc... mean. >> >> Most users may not be able to understand what means "discover local >> network DACP servers". >> But if a user is requested to grant/deny access to "Bob music >> library" service (the service being a DACP server), the situation >> seems getting better. >> The spec is a work in progress and may be improved. > > For the sake of argument let's say this "discovery" is allowed to > occur. How do you talk to "Bob music library" without the web page > sending raw data to/from the DACP server? The spec isn't very clear about how the permissions work, but I think we could protect users from accidentally giving permission and fingerprinting by making the permissions work like this:
* When prompting the user for permission, get the list of discovered services and ask the user if they want to give the application access to any of them. An implementation could using checkboxes, for example, but with the default state being unchecked. If the user clicks "ok" without looking at it, the result is an empty list. * Remove PERMISSION_DENIED_ERR. If permission is denied, just return an empty object. This way, a JavaScript application can't tell the difference between an empty network and not having permission to see any of the services. I'll look into proposing this change to the spec.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev