WebAPI/Security/TCPSocket: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) |
No edit summary |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== Socket API == | |||
Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc | Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc | ||
General Use Cases: None | General Use Cases: None | ||
Inherent threats:Malicious apps attacking internal systems (firewall bypass), local device access | Inherent threats: Malicious apps attacking internal systems (firewall bypass), local device access | ||
Threat severity: High | Threat severity: High | ||
Reference | |||
* | *https://bugzilla.mozilla.org/show_bug.cgi?id=733573 | ||
* | *Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Asm37KDoVB4/discussion | ||
=== Permissions Table=== | |||
== | {| border="1" class="wikitable" | ||
! Type | |||
! Use Cases | |||
* | ! Authorization Model | ||
*Specify hosts/ports in the manifest, permissions granted implicitly. | ! Notes & Other Controls | ||
|- | |||
| Web Content || None|| No access || | |||
|- | |||
| Installed Web Apps || None || No access || | |||
|- | |||
| Privileged Web Apps || Talk to non-HTTP services. SSH, FTP, mail clients, supporting custom protocols || Implicit|| | |||
*Firewall should prohibit access to privileged low number OS ports (<1024). | |||
*Listening on a port < 1024 should be prohibited. | |||
*Specify hosts/ports in the manifest, permissions granted implicitly. | |||
|- | |||
| Certified Web Apps || Open a connection to any domain/port || Implicit || specify hosts/ports in the manifest, permissions granted implicitly and not able to be revoked (unless device is in developer mode) | |||
|} | |||
[[Category:Web APIs]] | |||
[[Category:Security]] | |||
Latest revision as of 23:42, 1 October 2014
Socket API
Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc
General Use Cases: None
Inherent threats: Malicious apps attacking internal systems (firewall bypass), local device access
Threat severity: High
Reference
- https://bugzilla.mozilla.org/show_bug.cgi?id=733573
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Asm37KDoVB4/discussion
Permissions Table
Type | Use Cases | Authorization Model | Notes & Other Controls |
---|---|---|---|
Web Content | None | No access | |
Installed Web Apps | None | No access | |
Privileged Web Apps | Talk to non-HTTP services. SSH, FTP, mail clients, supporting custom protocols | Implicit |
|
Certified Web Apps | Open a connection to any domain/port | Implicit | specify hosts/ports in the manifest, permissions granted implicitly and not able to be revoked (unless device is in developer mode) |