"Final" proposal. Please reply-to [email protected] with any major issues.
On Wednesday, 9 May 2012 04:50:15 UTC+10, Lucas Adamski wrote: > Please reply-to [email protected] > > Name of API: Socket API > Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=733573 > > Brief purpose of API: Grant full access to raw sockets to allow applications > such as SMTP clients etc > General Use Cases: None > > Inherent threats:Malicious apps attacking internal systems (firewall bypass), > local device access > > Threat severity: High > > == Regular web content (unauthenticated) == > Use cases for unauthenticated code:None > Authorization model for normal content: > Authorization model for installed content: > Potential mitigations: > > == Trusted (authenticated by publisher) == > Use cases for authenticated code: Talk to non-HTTP services. SSH, FTP, mail > clients, supporting custom protocols > Use cases for trusted code: Implicit > Potential mitigations: Firewall should prohibit access to privileged low > number OS ports (<1024). Listening on a port < 1024 should be prohibited. > > == Certified (vouched for by trusted 3rd party) == > Use cases for certified code: Open a connection to any domain/port > Authorization model: Implicit > Potential mitigations: None _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
