WebAPI/Security/WebTelephony: Difference between revisions

no edit summary
mNo edit summary
No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Name of API: WebTelephony
== WebTelephony ==


Brief purpose of API: Make and receive phone calls
Brief purpose of API: Make and receive phone calls
*WebAPI: https://wiki.mozilla.org/WebAPI/WebTelephony
*B2G Meta telephony bug: https://bugzilla.mozilla.org/show_bug.cgi?id=699235
*Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/34LUf50tpKA/discussion


General Use Cases: None
General Use Cases: None
Line 19: Line 14:
Threat severity: high to critical, confidential information disclosure and direct financial risk
Threat severity: high to critical, confidential information disclosure and direct financial risk


== Regular web content (unauthenticated) ==
References:
Use cases for unauthenticated code: click on a phone number in an email or browser to dial
*WebAPI: https://wiki.mozilla.org/WebAPI/WebTelephony
 
*B2G Meta telephony bug: https://bugzilla.mozilla.org/show_bug.cgi?id=699235
Authorization model for uninstalled web content: Explicit (web activities)
*Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
 
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/34LUf50tpKA/discussion
Authorization model for installed web content: Explicit (web activities)
 
Potential mitigations: When user clicks on a phone number, app triggers a web activity to initiate the call. User interaction required to trigger.
 
== Privileged (authenticated by publisher) ==
Use cases for authenticated code: As per regular web app.
 
Authorization model: Explicit (web activities)
 
Potential mitigations: When user clicks on a phone number, app triggers a web activity to initiate the call. User interaction required to trigger.


== Certified (vouched for by trusted 3rd party) ==
{| border="1" class="wikitable"
Use cases for certified code:
! Type
! Use Cases
! Authorization Model
! Notes & Other Controls
|-
| Web Content || click on a phone number in an email or browser to dial || No direct access (access via web activities) || When user clicks on a phone number, app triggers a web activity to initiate the call.  User interaction required to trigger.
|-
| Installed Web Apps || As Above || No direct access (access via web activities) || As above.
|-
| Privileged Web Apps || As Above || No direct access (access via web activities) || As above.
|-
| Certified Web Apps ||
* Handler for telephony web activities
* Handler for telephony web activities
* Replacement dialer
* Replacement dialer
* Voice conference software (e.g. connect Voip with a mobile call)?
* Voice conference software (e.g. connect Voip with a mobile call)?
* Mediate incoming calls (accept/reject/merge)
* Mediate incoming calls (accept/reject/merge)
* Query transceiver state
* Query transceiver state  
 
|| Implicit
Authorization model: Implicit
|}
__NOTOC__


Potential mitigations: None
[[Category:Web APIs]]
[[Category:Security]]
Confirmed users
1,340

edits