WebAPI/Security/Settings: Difference between revisions

← Older edit

WebAPI/Security/Settings (view source)

Revision as of 23:42, 1 October 2014

467 bytes removed , 1 October 2014

no edit summary

Chaasof

Confirmed users

1,340

edits

@@ Line 1: / Line 1: @@
-Name of API: Settings API
+== Settings API ==
-References:
-*https://bugzilla.mozilla.org/show_bug.cgi?id=678695
-*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/jkzLINWWiQA/discussion
 Brief purpose of API: API to configure device settings
@@ Line 15: / Line 11: @@
 Threat severity: High
-== Regular web content (unauthenticated) ==
+References:
-Use cases for unauthenticated code: Read/change non-sensitive settings
+*https://bugzilla.mozilla.org/show_bug.cgi?id=678695
+*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/jkzLINWWiQA/discussion
-Authorization model for normal content: None
-Authorization model for installed content: Implicit read access to limited settings. Write access via web activities.
-Potential mitigations: Only non-sensitive settings will be exposed to regular apps.
-== Privileged (approved by app store) ==
-Use cases for authenticated code: Modify a specific setting - e.g. e-book app modifies brightness in response to lighting conditions
-Authorization model: Implicit
-Potential mitigations: Access to a subset of lower risk settings
-== Certified (system-critical apps) ==
-Use cases for certified code: replacement settings manager app
-Authorization model: Implicit access to all settings
+=== Permissions Table===
+{| border="1" class="wikitable"
+! Type
+! Use Cases
+! Authorization Model
+! Notes & Other Controls
+|-
+| Web Content || None || No access
+|-
+| Installed Web Apps || None || No access
+|-
+| Privileged Web Apps || None || No access
+|-
+| Certified Web Apps || Settings manager app || Implicit
+|}
-Potential mitigations: None
+[[Category:Web APIs]]
+[[Category:Security]]