Please reply to dev-weba...@lists.mozilla.org. ==WebPayment API==
References: *https://wiki.mozilla.org/WebAPI/WebPayment *https://bugzilla.mozilla.org/show_bug.cgi?id=767818 Brief purpose of API: Allow apps (including the Marketplace) to initiate in-app payments and refunds. General Use Cases: *Buy an app via the Marketplace *Get a refund for a purchase via the Marketplace *Buy an item from within a 3rd party app *Initiate a refund for an item bought in a 3rd party app Inherent threats: *Trick a user into paying for something they didn't want *Trick a user into paying something more than once (i.e. replay attacks) *Charge a user more than they expect for a purchase *Force a refund for a different app or user than expected, thereby disabling it Threat severity: High == Regular web content (unauthenticated) == Use cases for unauthenticated code: Same Authorization model for normal content: None? Authorization model for installed content: Implicit Potential mitigations: System notification of all purchases == Privileged (approved by app store) == Use cases for privileged code: Same Authorization model: Implicit Potential mitigations: Same == Certified (system-critical apps) == Use cases for certified code: Same Authorization model: Implicit Potential mitigations: Same _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
