On Jul 16, 2014 10:34 PM, "Dave Hylands" <dhyla...@mozilla.com> wrote: > > I guess my point is that it isn't always possible to determine what device is connected. You need to know the correct baud rate, hardware-flow-control, serial comms to even talk to the device. Some devices are write-only. Some devices are read-only. Some devices aren't even serial devices at all. They might be an IR-LED that you're just bit-banging the RTS line to generate a signal. > > Here's an example of a write-only device that only uses the DTR signal: http://www.lirc.org/transmitters.html Lots of people use devices like this for controller home theatre systems. Are you going to say you can't use it just because you can't identify the device in a programmatic fashion? > > Even in the USB serial case, you might just detect that a USB-to-serial dongle is attached and not what device is plugged into the dongle. > > What about TCPIP-rs232 servers? Nobody seems to care about permissions at the device level for those. Why should you care about permissions just because its connected directly?
We are in fact currently caring about security for those right now since we do not expose raw TCP sockets to normal webpages (which as I understand it is what's being debated here). However obviously "don't expose it" is a pretty terrible way of handling it. Am I correct in saying that the target audience for this is hardware hackers that are doing development at home. And who want to use the web to control hardware that they themselves hack hooked up to their own computer? If so, one option is to simply control this through an nsIPermissionManager permission. This way there would be no UI in default Firefox for enabling access to this API. However anyone could develop a trivial add-on which enabled configuring individual websites to have access to the API. So someone that wants to use this API could simply use such an add-on to enable the API once and for all for their own website. Of for a friends website. However average users would not really be at risk for being tricked into enabling this API and get their system compromised. This also makes it trivial to enable the API for privileged apps in FirefoxOS or desktop (where I believe privileges apps have now been implemented). / Jonas _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
