WebAPI Security Discussion: Permission API

Lucas Adamski Tue, 08 May 2012 16:47:56 -0700

Please reply-to [email protected]

Name of API: Permission API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=707625


Brief purpose of API: Allow an app to manage app permissions in a centralized 
location
General Use Cases: None

Inherent threats: Change security and privacy permissions, potentially leading 
to device compromise

Threat severity: Critical

== Regular web content (unauthenticated) ==
Use  cases for unauthenticated code:None
Authorization model for normal content:  None
Authorization model for installed content: None
Potential mitigations: 

== Trusted (authenticated by publisher) ==
Use cases for authenticated code: None
Use cases for trusted code: None
Potential mitigations:

== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code:  Centralized permissions management app; modify 
per-app settings
Authorization model: Implicit
Potential mitigations: None

Note: We are not exposing permission settings to non-certified apps.  Apps 
cannot determine their current settings without actually requesting a 
permission.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security

WebAPI Security Discussion: Permission API

Reply via email to