The Android BLE Peripheral Simulator app, combined with the Web Bluetooth Samples, are tremendous resources for developers. In the sample web pages, once a user clicks on the submit button the Bluetooth pairing screen is displayed.
Once a user selects a device from the paring screen the connection to the Android app is automatically made.
Is it possible for there to be a security check on the Android app that would only allow a connection from specific domains? Most importantly, is it possible for the Web Bluetooth API to securely send the domain to the Android app (it is displayed at the top of the pairing screen so it is available)?
This would need to be some sort of meta-data process call; simply calling a JavaScript method from the web page to sendDomain("Domain Name") would of course not be secure.
I usually try to spend an hour or so researching a question before I post it to StackOverflow. I could find nothing on this concept. The word "domain" does not appear in the Web Bluetooth Draft. There was some discussion of domains in the early days of Web Bluetooth and Web NFC; however, I was unable to find any current references or examples.
Thx!
As you probably already have found out, there is no such thing in Web Bluetooth.
Note that Web Bluetooth is built around GATT and GATT was not designed with the browser in mind. GATT is built for device to device communication rather than app to app communication.
It's also not clear how this domain should be sent (written to a specific GATT characteristic?), but if you have a good idea, feel free to post it to https://github.com/WebBluetoothCG/web-bluetooth/issues, since you bring up a valid question. Note that multiple apps and web pages can be connected to the same peripheral concurrently, but the peripheral sees the GATT requests as they all come from the same source. If L2CAP CoC was better supported, this could be an easier solution since then each app could open their own communication channel...
