DIAL Specification 1.7.2 Released

posted Apr 6, 2015, 4:27 PM by Unknown user   [ updated Apr 7, 2015, 9:48 AM ]

An attack vector on DIAL-enabled devices was reported to us by NCC Group. This attack allows Javascript code running on a second-screen DIAL device to launch an application on a first-screen DIAL device. This Javascript can be embedded in any website, especially through 3rd party ad delivery mechanisms.

The previous version of DIAL (1.7.1) supports CORS headers but doesn't specify any access policy. The reference DIAL server implementation also doesn't impose any restriction on the Origin, which allows Javascript XHR requests coming from any domain to be executed by the DIAL server. To solve the issue, the DIAL 1.7.2 spec was updated to define a CORS access policy on the DIAL server that doesn’t break compatibility with existing devices.

The new CORS access policy will:

  1. Check the CORS Origin header against an application specific authorization list (patches DIAL to check for authorized domains),
  2. Restrict checking to the following URI schemes: “http”, “https” and “file” (required for backwards compatibility with existing clients),
  3. Allow requests that don’t include an Origin header as CORS mandates (required for backwards compatibility with non-browser based, 3rd-party DIAL clients).

The benefits of this solution are:

  • Full backwards compatibility with both mobile clients and the Chrome extension,
  • Full compatibility with 3rd party DIAL clients,
  • No specification changes affecting DIAL clients.

DIAL Specification 1.7 Released

posted May 26, 2014, 11:41 AM by Unknown user

DIAL Specification 1.7 is now available. 

We recommend that devices which implement DIAL include support for the most current version of DIAL.

Highlights of this release include:
  • Support for multiple second-screen devices on one DIAL server.
  • The <additionalData> field has been added to the XML schema.
  • The <dialVer> field has been added to the XML schema.

For additional details please review the DIAL Protocol Specification.

DIAL Reference Software corresponding to the current specification can be found in Sample Implementations.

Subscribe to this feed for changes & updates

posted Mar 1, 2013, 10:27 AM by Richard Smith

Subscribe to this page's RSS feed to be notified of updates to the DIAL Protocol Specification, the sample software posted here, and other news or site changes. 

1-3 of 3