Hi all, Below is the template we'll be using to discuss the security implications of individual WebAPIs in each of the application categories. This one is just an example so please don't focus on the proposal itself, as it isn't intended to make much sense.
I'm also sending out the first two specific APIs for discussion: Orientation API and Camera API. Each discussion will take 3-5 days (depending on the complexity), at the end of which we'll lock in the proposed behavior and move onto another batch of API discussions. Discussions will be overlapping as there are too many to cover sequentially. In the interests of time we may defer discussion of some of the lower priority APIs (eg. webNFC) for now, or B2G-specific APIs that are initially only intended to be exposed to certified apps. Name of API: (eg. Camera API) References: <links to relevant specs, threat models, detailed use cases, etc> Brief purpose of API: (eg. "Let content take photos and capture video") General Use Cases: <description of / link to use cases that apply to all app categories> Inherent threats: (eg. steal local files, modify system state, spy on user video/audio) Threat severity: [low/moderate/high/critical per https://wiki.mozilla.org/Security_Severity_Ratings] == Regular web content (unauthenticated) == Use cases for unauthenticated code: (eg. "App allows user to take a picture for a profile") Authorization model for uninstalled web content: <implicit or explicit at runtime> Authorization model for installed web content: <implicit/explicit [upfront|runtime]> Potential mitigations: (eg. Prompt user to take a picture. If permitted, agent mediated viewfinder UI is launched to… ) == Trusted (authenticated by publisher) == Use cases for authenticated code: (eg. "Foreground photo sharing app with realtime preview and special effects") Authorization model: <implicit/explicit [upfront|runtime]> Potential mitigations: (eg. Prompt for camera access, app then retains access to camera until exit. Camera access is suspended if app loses foreground, and resumes when…) == Certified (vouched for by trusted 3rd party) == Use cases for certified code: (eg. "Video monitoring service that can run in background without user awareness for extended periods of time") Authorization model: <implicit/explicit [upfront|runtime]> Potential mitigations: (eg. None beyond certification) _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
