I haven't seen any comments on this for a while so I'll be closing this out and posting on Friday. Please send any last comments before noon PDT. Thanks! Lucas.
On Apr 15, 2012, at 11:12 PM, Lucas Adamski wrote: > Please reply-to [email protected] > > Name of API: Idle API > Reference: https://wiki.mozilla.org/WebAPI/IdleAPI > > Brief purpose of API: Notify an app if the user is idle > General Use Cases: Notify a web page is a user is idle (e.g. to change a > status in an instant messaging program) > > Inherent threats: Privacy implication - signalling mulitple windows at > exactly the same time could correlate user identities and compromise privacy > > Threat severity: Low > > == Regular web content (unauthenticated) == > Use cases for unauthenticated code: Event is fired when the user is idle > Authorization model for normal content: Implicit > Authorization model for installed content:Implicit > Potential mitigations: Exact time user goes idle can be fuzzy so as to reduce > correlation > > == Trusted (authenticated by publisher) == > Use cases for authenticated code: As per unauthenticated > Authorization model: > Potential mitigations: > > == Certified (vouched for by trusted 3rd party) == > Use cases for certified code: As per unauthenticated > Authorization model: > Potential mitigations: > _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
