On Thu, Mar 15, 2012 at 10:52 AM, Adrienne Porter Felt <a...@berkeley.edu> wrote: > https://wiki.mozilla.org/Apps/Security#Management_.2F_granting_of_API_permissions_to_WebApps > > Under "Management / granting of API permissions to WebApps", I think two > important points are missing: > > 4. User should be able to audit usage of permissions (this is different from > viewing what permissions an app has, since that does not tell you how or > when it is used) > 5. Apps cannot request permission to do something that is not listed in the > manifest
Agreed on 4. For 5 I would rather say "Apps cannot request permission to do something is not listed in the manifest *and* that the store hasn't granted them access to do". > I'd also like to raise the issue of what happens to permissions when > principals interact. Do webapps have iframes like websites? Can they embed > advertisements? Yes. > Do the advertisers then get all of the permissions? No. > There are two ways iframes/permissions don't mix well: > > * Child frame requests permission to do something. User thinks that the > dialog belongs to the parent frame, accidentally grants the child frame > access to something. > > * Parent frame belongs to an untrusted app with no privileges. It opens a > child frame with a trusted app in it. Let's say the child frame performs a > privileged action as soon as it is opened, using a permanently-granted > permission. The untrusted parent frame has now caused some action to occur > without the user realizing it. I don't think we should allow trusted apps to be framed. I.e. if an app opens a url which belongs to a trusted app in an iframe, that url should run with no special permissions at all. Prompt or no prompt. / Jonas _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security