DIAL Specification 1.7.2 Released

Post date: Apr 06, 2015 11:27:26 PM

An attack vector on DIAL-enabled devices was reported to us by NCC Group. This attack allows Javascript code running on a second-screen DIAL device to launch an application on a first-screen DIAL device. This Javascript can be embedded in any website, especially through 3rd party ad delivery mechanisms.

The previous version of DIAL (1.7.1) supports CORS headers but doesn't specify any access policy. The reference DIAL server implementation also doesn't impose any restriction on the Origin, which allows Javascript XHR requests coming from any domain to be executed by the DIAL server. To solve the issue, the DIAL 1.7.2 spec was updated to define a CORS access policy on the DIAL server that doesn’t break compatibility with existing devices.

The new CORS access policy will:

The benefits of this solution are: