WebKit position on Web NFC

# François Beaufort 🇫🇷 (16 days ago)

Hello WebKit Dev folks,

Following Maciej's invitation to send requests for positions on Web API proposals to webkit-dev, we would like to know WebKit's position on Web NFC: w3c.github.io/web-nfc

Web NFC aims to provide sites the ability to read and write to nearby NFC devices. The current scope is limited to NDEF, a lightweight binary message format. Low-level I/O operations with the ISO-DEP protocol and Host-based Card Emulation (HCE) are not supported.

FYI, an intent to experiment will be posted soon on blink-dev. I'll update this webkit-dev thread with the URL when done.

TAG Review: w3ctag/design-reviews#461 Chromestatus URL: www.chromestatus.com/features/6261030015467520 Mozilla standards-positions: mozilla/standards-positions#238

Thank you, Francois.

Contact us to advertise here
# Maciej Stachowiak (16 days ago)

We oppose this feature and will not implement it.

We do not believe a permission prompt is a sufficient mitigation for the serious security and privacy risks raised by this specification. In addition, we think exposing direct hardware access to the web is a bad idea and compromises the device-independence of the web platform.

We can provide more details if desired but it may take a few days.

# François Beaufort 🇫🇷 (9 days ago)

As promised earlier, here's the intent to experiment thread URL we've just sent to blink-dev: groups.google.com/a/chromium.org/forum/#!topic/blink-dev/8bsAd-PsdbA

It would be greatly appreciated if you could share specifics about your decision. Some alternative designs would also help moving this discussion forward.

Thank you, Francois.

# François Beaufort 🇫🇷 (3 hours ago)

Gentle ping.

# Ryosuke Niwa (2 hours ago)

I'm not sure what specifics you're looking for but the issue is that we don't believe permission prompt is sufficient mitigation. Ordinary people don't understand the full security & privacy implications of granting NFC access when asked.

  • R. Niwa
# François Beaufort 🇫🇷 (2 hours ago)

Maciej said earlier they could provide more details if desired. Would you have any alternative ideas that would help ordinary people understand the full security & privacy implications of granting NFC access?

Thank you, Francois.

# Ryosuke Niwa (an hour ago)

On Wed, Jan 22, 2020 at 12:23 AM François Beaufort 🇫🇷 < fbeaufort at google.com> wrote:

Maciej said earlier they could provide more details if desired.

Well, you have to tell us what details you're looking for.

Would you have any alternative ideas that would help ordinary people

understand the full security & privacy implications of granting NFC access?

I can't imagine how given most people don't know what NFC is.

I'll go off a bit on a tangent and say that one of the primary strengths of the Web is that users can visit any website without the fear of their computing devices being permanently compromised. Unfortunately, APIs such as Web NFC, Web USB, Web Serial API would pose new threats for persistent attacks on external devices exposed by those APIs. If we continue this path, at some point (or maybe we're already there), the Web will turn into any other non-Web platform where ordinary users can (or are advised to) only use well known trusted applications or visit well known trusted websites just like how native apps work today.

  • R. Niwa

Want more features?

Request early access to our private beta of readable email premium.