Please reply-to [email protected] Name of API: Keyboard API Reference: See: https://groups.google.com/d/topic/mozilla.dev.webapi/Vs3-HGv9NNw/discussion
Brief purpose of API: Allow virtual keyboard to be implemented as a Web App General Use Cases: *Replace the installed keyboard with a different one *Choose what keyboard is shown (numeric, alphanumeric, symbols, first letter capiltaized etc) Inherent threats: Access to user keystrokes (steal passwords, bank account details, etc), send trusted key events Threat severity: high == Regular web content (unauthenticated) == Use cases for unauthenticated code: Request which keyboard [type?] is displayed Authorization model for uninstalled web content: implicit for focused top-level content Authorization model for installed web content: implicit Potential mitigations: Request keyboard [type] only. == Trusted (authenticated by publisher) == Use cases for authenticated code: Implement new keyboard. Authorization model: Implicit Potential mitigations: == Certified (vouched for by trusted 3rd party) == Use cases for certified code: Implement new keyboard Authorization model: Implicit Potential mitigations: None Notes: Obtain user confirmation at install time (i.e. "Install this keyboard?"). Keyboard apps have unique store review requirement. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
