Final call for comments. Please reply to [email protected] by COB Jun 04.
On Wednesday, 9 May 2012 09:47:47 UTC+10, Lucas Adamski wrote: > Please reply-to [email protected] > > Name of API: Permission API > Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=707625 > > Brief purpose of API: Allow an app to manage app permissions in a centralized > location > General Use Cases: None > > Inherent threats: Change security and privacy permissions, potentially > leading to device compromise > > Threat severity: Critical > > == Regular web content (unauthenticated) == > Use cases for unauthenticated code:None > Authorization model for normal content: None > Authorization model for installed content: None > Potential mitigations: > > == Trusted (authenticated by publisher) == > Use cases for authenticated code: None > Use cases for trusted code: None > Potential mitigations: > > == Certified (vouched for by trusted 3rd party) == > Use cases for certified code: Centralized permissions management app; modify > per-app settings > Authorization model: Implicit > Potential mitigations: None > > Note: We are not exposing permission settings to non-certified apps. Apps > cannot determine their current settings without actually requesting a > permission. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
