MozillaWiki

WebAPI/Security/Settings: Difference between revisions

Page Discussion

WebAPI/Security/Settings (view source)

Revision as of 23:42, 1 October 2014

379 bytes removed ,  1 October 2014
no edit summary
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Name of API: Settings API
== Settings API ==
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=678695
Brief purpose of API: API to configure device settings


Brief purpose of API: API to configure device settings
General Use Cases: None
General Use Cases: None


Inherent threats:
Inherent threats:
*Access sensitive configuration data (wifi passwords etc)
*Access sensitive configuration data (WiFi passwords etc)
*Change settings which might cost user money (data settings, roaming etc)
*Change settings which might cost user money (data settings, roaming etc)
*Privacy implications  
*Privacy implications  
Line 12: Line 11:
Threat severity: High
Threat severity: High


== Regular web content (unauthenticated) ==
References:
*Use cases for unauthenticated code: Read/change non-sensitive settings
*https://bugzilla.mozilla.org/show_bug.cgi?id=678695
*Authorization model for normal content: None
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/jkzLINWWiQA/discussion
*Authorization model for installed content: Implicit read access to limited settings. Write access via web intents.  
*Potential mitigations: Only non-sensitive settings will be exposed to regular apps.


== Trusted (authenticated by publisher) ==
=== Permissions Table===
*Use cases for authenticated code: Modify a specific setting - e.g. e-book app modifies brightness in response to lighting conditions
{| border="1" class="wikitable"
*Authorization model: Implicit
! Type
*Potential mitigations: Access to a subset of lower risk settings
! Use Cases
! Authorization Model
! Notes & Other Controls
|-  
| Web Content || None || No access
|-
| Installed Web Apps || None || No access
|-
| Privileged Web Apps || None || No access
|-  
| Certified Web Apps || Settings manager app || Implicit
|}


== Certified (vouched for by trusted 3rd party) ==
[[Category:Web APIs]]
*Use cases for certified code: replacement settings manager app
[[Category:Security]]
*Authorization model: Implicit access to all settings
*Potential mitigations: None
Chaasof
Confirmed users
1,340

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/456220...1021349"