WebAPI/Security/WebTelephony: Difference between revisions

no edit summary
No edit summary
 
(12 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
== WebTelephony ==


Brief purpose of API: Make and receive phone calls
Brief purpose of API: Make and receive phone calls
*WebAPI:https://wiki.mozilla.org/WebAPI/WebTelephony
*B2G Meta telephony bughttps://bugzilla.mozilla.org/show_bug.cgi?id=699235
*Web Telephony meta bug:https://bugzilla.mozilla.org/show_bug.cgi?id=674726


General Use Cases: None
General Use Cases: None
Line 18: Line 14:
Threat severity: high to critical, confidential information disclosure and direct financial risk
Threat severity: high to critical, confidential information disclosure and direct financial risk


== Regular web content (unauthenticated) ==
References:
Use cases for unauthenticated code: click on a phone number in an email or browser to dial
*WebAPI: https://wiki.mozilla.org/WebAPI/WebTelephony
*Authorization model for uninstalled web content: explicit (web activities)
*B2G Meta telephony bug: https://bugzilla.mozilla.org/show_bug.cgi?id=699235
*Authorization model for installed web content: explicit (web activities)
*Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
*Potential mitigations: When user clicks on a phone number, app triggers a web activity to initiate the call. User interaction required to trigger.
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/34LUf50tpKA/discussion
 
== Trusted (authenticated by publisher) ==
Use cases for authenticated code:
* Fun dialers (eg. rotary dialer)
Authorization model: explicit (web activities)


== Certified (vouched for by trusted 3rd party) ==
{| border="1" class="wikitable"
Use cases for certified code:
! Type
! Use Cases
! Authorization Model
! Notes & Other Controls
|-
| Web Content || click on a phone number in an email or browser to dial || No direct access (access via web activities) || When user clicks on a phone number, app triggers a web activity to initiate the call.  User interaction required to trigger.
|-
| Installed Web Apps || As Above || No direct access (access via web activities) || As above.
|-
| Privileged Web Apps || As Above || No direct access (access via web activities) || As above.
|-
| Certified Web Apps ||
* Handler for telephony web activities
* Handler for telephony web activities
* Replacement dialer
* Replacement dialer
* Voice conference software (e.g. connect Voip with a mobile call)?
* Voice conference software (e.g. connect Voip with a mobile call)?
* Mediate incoming calls (accept/reject/merge)
* Mediate incoming calls (accept/reject/merge)
* Query transceiver state
* Query transceiver state  
Authorization model: implicit
|| Implicit
Potential mitigations: none
|}
__NOTOC__
 
[[Category:Web APIs]]
[[Category:Security]]
Confirmed users
1,340

edits