"Final" call for comment. Please reply-to dev-weba...@lists.mozilla.org with any major issues before COB Jun 04.
On Thursday, 10 May 2012 04:57:27 UTC+10, pther...@mozilla.com wrote: > (Please reply-to dev-weba...@lists.mozilla.org) > > Name of API: Network Information API Sec > Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=677166 > https://wiki.mozilla.org/WebAPI/NetworkAPI > > Brief purpose of API: > General Use Cases: > Read current bandwidth estimate or ask if connection is metered > > Listen for connection change events > > Inherent threats: Privacy (de-anonymize users based on connection change > events?) > > Threat severity:Low > > == Regular web content (unauthenticated) == > Use cases for unauthenticated code: Read current bandwidth estimate or > ask if connection is metered > Authorization model for normal content: Read current bandwidth estimate > or ask if connection is metered > Authorization model for installed content: > Potential mitigations: Maybe fuzz the exact time of the network change > event in a similar manner to idle API. > > == Trusted (authenticated by publisher) == > Use cases for authenticated code:As above > Use cases for trusted code: > Potential mitigations: > > == Certified (vouched for by trusted 3rd party) == > Use cases for certified code: As above > Authorization model: > Potential mitigations: _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security