Hi Dom, On Mar 7, 2011, at 11:57 AM, Dominique Hazael-Massieux wrote:
> Hi Ben, > > Le vendredi 25 février 2011 à 14:04 +0000, Ben Laurie a écrit : >>> As part of a European research project I'm involved in [1], I've >>> compiled a report on the existing technologies in development (or in >>> discussion) at W3C for building Web applications and that are >>> particularly relevant on mobile devices: >>> http://www.w3.org/2011/02/mobile-web-app-state.html >> >> Nothing on security? > > It does mention the work on CORS and the work around widgets security, > but there is no dedicated section on security — I'm not sure what would > appear there that would be particularly relevant on mobile devices, any > suggestion? For example, mobile devices are usually correlated with a single individual, or at most a small group of people. The data contained on them is often personal. As such, identifiers related to mobile devices (phone number, IMEI) constitute sensitive information. In addition, they carry an increasing array of sensors again closely related to a single individual (e.g. GPS). By providing Javascript APIs to device functionality, we are opening up a mechanism which allows unidentified (or, identified mostly only by unreliable technologies) access to personal and/or sensitive information. There are some security benefits to doing so with Javascript APIs accessible only to the recipient of an HTTP request initiated by the user, but also some potential pitfalls. Of course, I can't tell if that's what Ben was alluding to with his question ;) Regards, - John
