(Please reply-to [email protected])
Name of API: Background API
Reference:
http://groups.google.com/group/mozilla.dev.webapi/browse_thread/thread/3455cb056e40d095
Related:
Brief purpose of API: Provide for applications to request to remain and
run in the background. It is not intended for pure background services.
General Use Cases:Use cases: Navigation app continuing to run and
provide driving prompts from the background.
Inherent threats: Resource utilization
Threat severity: Low by itself. Could raise the security concerns of
other APIs.
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code: Streaming radio station wants to
continue to play in the background.
Authorization model for normal content: Implicit
Authorization model for installed content: Implicit
Potential mitigations:
== Trusted (authenticated by publisher) ==
Use cases for authenticated code:Implicit
Use cases for trusted code:Implicit
Potential mitigations:
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Implicit
Authorization model:Implicit
Potential mitigations:
Note: This is an API that content can use to request to remain in the
background and not be cleaned up. It could accentuate the security
concerns of other APIs (for example, an app with Camera permission could
be more of a security risk if it can continue recording out of sight of
the user), but it is not a security risk itself. It should be noted in
the App Review Policy about this fact for reviewers to keep in mind.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
