DIAL Specification 1.7.2 Released
Post date: Apr 06, 2015 11:27:26 PM
An attack vector on DIAL-enabled devices was reported to us by NCC Group. This attack allows Javascript code running on a second-screen DIAL device to launch an application on a first-screen DIAL device. This Javascript can be embedded in any website, especially through 3rd party ad delivery mechanisms.
The previous version of DIAL (1.7.1) supports CORS headers but doesn't specify any access policy. The reference DIAL server implementation also doesn't impose any restriction on the Origin, which allows Javascript XHR requests coming from any domain to be executed by the DIAL server. To solve the issue, the DIAL 1.7.2 spec was updated to define a CORS access policy on the DIAL server that doesn’t break compatibility with existing devices.
The new CORS access policy will:
Check the CORS Origin header against an application specific authorization list (patches DIAL to check for authorized domains),
Restrict checking to the following URI schemes: “http”, “https” and “file” (required for backwards compatibility with existing clients),
Allow requests that don’t include an Origin header as CORS mandates (required for backwards compatibility with non-browser based, 3rd-party DIAL clients).
The benefits of this solution are:
Full backwards compatibility with both mobile clients and the Chrome extension,
Full compatibility with 3rd party DIAL clients,
No specification changes affecting DIAL clients.