WebAPI/Security/Contacts: Difference between revisions

Jump to navigation Jump to search

WebAPI/Security/Contacts (view source)

Revision as of 22:23, 30 July 2012

8 bytes added ,  30 July 2012
→‎Trusted (authenticated by publisher)
Line 36: Line 36:
Potential mitigations:
Potential mitigations:
* Let user configure what data is accessible (globally?)
* Let user configure what data is accessible (globally?)
* Have separate permissions read,create or update/delete? (assuming that many apps only want read, and could use web activities to create a contact if necessary?) These should not be exposed to the user (the user should be only be asked if the API wants to "have access to" the contacts API, it adds too much cognitive overhead to start scanning dialogs for the verb without clearly differentiating the risk to the user).
* Have separate permissions for read vs read&write, assuming that many apps only want read, and could use web activities to create a contact if necessary. These distinctions should not be exposed to the user (the user should be only be asked if the API wants to "have access to" the contacts API, as it adds too much cognitive overhead to start scanning dialogs for the verb without clearly differentiating the risk to the user).


== Certified (vouched for by trusted 3rd party) ==
== Certified (vouched for by trusted 3rd party) ==
Ladamski
Confirmed users
717

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/456247"

Navigation menu