WebAPI/Security/Idle: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(9 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Name of API: Idle API
==Idle API==
Reference:  https://wiki.mozilla.org/WebAPI/IdleAPI


Brief purpose of API: Notify an app if the user is idle
Brief purpose of API: Notify an app if the user is idle.<br>
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).
References:
*https://wiki.mozilla.org/WebAPI/IdleAPI
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Wxgz7_LKD40/discussion


Inherent threats:
Inherent threats:
*Privacy implication
*Privacy implications
**signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
**Signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
** Could be used by a workplace to monitor activity by monitoring system idle
**Could be used by a workplace to monitor activity by monitoring system idle
 
Threat severity: Low
Threat severity: Low


== Regular web content (unauthenticated) ==
=== Permissions Table===
Use cases for unauthenticated code: N/A
 
Authorization model for normal content: None
 
Authorization model for installed web content: None
 
Potential mitigations:
* Exact time user goes idle can be fuzzed so as to reduce correlation
* Provide only page idle not system idle, where privacy is a concern
 
== Privileged (authenticated by publisher) ==
Use cases for authenticated code: N/A
 
Authorization model: None
 
Potential mitigations: None
 
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: As per unauthenticated


Authorization model: Implicit
{| border="1" class="wikitable"
! Type
! Use Cases
! Authorization Model
|-
| Web Content || None || No access
|-
| Installed Web Apps || None || No access
|-
| Privileged Web Apps || None || No access
|-
| Certified Web Apps || Notify an app if the user is idle. || Implicit
|}


Potential mitigations: Implicit
[[Category:Web APIs]]
[[Category:Security]]

Latest revision as of 23:40, 1 October 2014

Idle API

Brief purpose of API: Notify an app if the user is idle.
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).

References:

Inherent threats:

  • Privacy implications
    • Signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
    • Could be used by a workplace to monitor activity by monitoring system idle

Threat severity: Low

Permissions Table

Type Use Cases Authorization Model
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps None No access
Certified Web Apps Notify an app if the user is idle. Implicit
Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Idle&oldid=1021339"