"Final" proposal. Please reply-to [email protected] with any major issues.
The only change below reflects a discussion from the work week, which suggested that we should always show the geolocation indicator, even though it may be undesirable for a "find my stolen phone" app. The logic in this proposal was that it isn't worth trading the privacy risk all the time, for the relatively unlikely scenario of a recovered lost device (an determined thief could simply turn the phone off) Name of API: Geolocation API Reference: _https://developer.mozilla.org/En/Using_geolocation_ Brief purpose of API: Obtain current location of user General Use Cases: Mapping applications, GPS navigation, geotagging Inherent threats: * Leakage of user's current location to app * Leakage of user's current location to 3rd party geolocation service * Profiling of user behavior Threat severity: Moderate == Regular web content (unauthenticated) == Use cases for unauthenticated code: Same Authorization model for normal content: Explicit (default to not remember) Authorization model for installed content:Explicit (default to... ?) Potential mitigations: UI indicator for active geolocation with a path for user to disable == Trusted (authenticated by publisher) == Use cases for authenticated code: Same Authorization model: Explicit (default to... ?) Potential mitigations: UI indicator for active geolocation with a path for user to disable == Certified (vouched for by trusted 3rd party) == Use cases for certified code: Device theft recovery; same Authorization model: Implicit Potential mitigations: UI indicator for active geolocation with a path for user to disable _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
