On 19 April 2012 11:31, JOSE MANUEL CANTERA FONSECA <[email protected]> wrote: > Is there any special risk on allowing any kind of unauthenticated content > to request vibration without any permission request? >
It will be an annoyance yes, but I don't see any security risk other than Denial of Service. I think of it similar to how websites could window.alert in an infinite loop. It makes more sense to take the hit for Denial of Service risk, than to annoy users with permission dialogs. =dev On 19 April 2012 11:31, JOSE MANUEL CANTERA FONSECA <[email protected]> wrote: > Is there any special risk on allowing any kind of unauthenticated content > to request vibration without any permission request? > > Thanks, best > > El 16/04/12 07:55, "Lucas Adamski" <[email protected]> escribió: > >>Last call for comments! So far the only feedback I have received is that >>it would be good to have a UI mechanism for determine which app is >>triggering the vibration, which sounds like a reasonable idea to me. >>Thanks! >> Lucas. >> >>On Apr 11, 2012, at 10:36 PM, Lucas Adamski wrote: >> >>> Name of API: Vibration >>> Reference: http://dev.w3.org/2009/dap/vibration/ >>> >>> Brief purpose of API: Let content activate the vibration motor >>> >>> Inherent threats: Obnoxious if mis-used, consume extra battery >>> Threat severity: low >>> >>> == Regular web content (unauthenticated) == >>> Use cases for unauthenticated code: Vibrate when hit in a game >>> Authorization model for uninstalled web content: Explicit >>> Authorization model for installed web content: Implicit >>> Potential mitigations: Limit how long vibrations can run >>> >>> == Trusted (authenticated by publisher) == >>> Use cases for authenticated code:[Same] >>> Authorization model: Implicit >>> Potential mitigations: >>> >>> == Certified (vouched for by trusted 3rd party) == >>> Use cases for certified code: >>> Authorization model: implicit >>> Potential mitigations: >>> >>> Notes: This API may be implicitly granted. User can deny from >>>Permission Manager to over-ride an abusive app. >>> >> >>_______________________________________________ >>dev-webapps mailing list >>[email protected] >>https://lists.mozilla.org/listinfo/dev-webapps >> > > > > Este mensaje se dirige exclusivamente a su destinatario. Puede consultar > nuestra política de envío y recepción de correo electrónico en el enlace > situado más abajo. > This message is intended exclusively for its addressee. We only send and > receive email on the basis of the terms set out at > http://www.tid.es/ES/PAGINAS/disclaimer.aspx > _______________________________________________ > dev-security mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
