https://wiki.mozilla.org/Apps/Security#Management_.2F_granting_of_API_permissions_to_WebApps
Under "Management / granting of API permissions to WebApps", I think two important points are missing: 4. User should be able to audit usage of permissions (this is different from viewing what permissions an app has, since that does not tell you how or when it is used) 5. Apps cannot request permission to do something that is not listed in the manifest I'd also like to raise the issue of what happens to permissions when principals interact. Do webapps have iframes like websites? Can they embed advertisements? Do the advertisers then get all of the permissions? There are two ways iframes/permissions don't mix well: * Child frame requests permission to do something. User thinks that the dialog belongs to the parent frame, accidentally grants the child frame access to something. * Parent frame belongs to an untrusted app with no privileges. It opens a child frame with a trusted app in it. Let's say the child frame performs a privileged action as soon as it is opened, using a permanently-granted permission. The untrusted parent frame has now caused some action to occur without the user realizing it. I think the solution is to not let cross-origin iframes wield permissions that have dialogs. (Permissions that are always hidden from the user, or permissions that are controlled via auditing only would be OK for an iframe to access.) _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security