|
|
| Line 2: |
Line 2: |
|
| |
|
| ===Web Content (not exhaustive)=== | | ===Web Content (not exhaustive)=== |
| {| border="1" | | {| {{table}} |
| ! API!!Action!!Explicit!!Visual Indicator!!Mitigations
| | | API||Action||Web Content||Untrusted App||Trusted App||Certified App||Visual Indicator||Mitigations||Notes |
| |- | | |- |
| | Screen Orientation||lock screen orientation, detect changes||No||No||Rules regarding fullscreen and iframe ancestors | | | Geolocation API||Obtain current location of user||Explicit (prompt)||Explicit (prompt)||Explicit (prompt)||Implicit||Yes|||| |
| |- | | |- |
| | Vibration API||||No||||Limit how long vibrations can run. Only foreground content can trigger vibration. | | | IdleAPI||Detect user inactive||Explicit (prompt)||Explicit (prompt)||Implicit||Implicit||No||Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference.|| |
| |- | | |- |
| | ResourceLock API||Prevent the screen from being dimmed or switched off||No||No||Only allowed when content is fullscreen | | | Battery Status API||Information about battery charge level and if device is plugged in.||Implicit||Implicit||Implicit||Implicit||No|||| |
| |- | | |- |
| | Geolocation API||Obtain current location of user|||||| | | | Network Information API||Get basic information about current network connectivity.||Implicit||Implicit||Implicit||Implicit||No|||| |
| |- | | |- |
| | Mouse Lock API||Lock access to mouse and get access to movement deltas rather than coordinates.||Yes||No|| | | | ResourceLock API||Prevent the screen from being dimmed or switched off||Implicit||Implicit||Implicit||Implicit||No|||| |
| |- | | |- |
| | Network Information API||Get basic information about current network connectivity.||No||No|| | | | Vibration API||||Implicit||Implicit||Implicit||Implicit||||Limit how long vibrations can run. Only foreground content can trigger vibration.|| |
| |- | | |- |
| | Battery Status API||Information about battery charge level and if device is plugged in.||No||No|| | | | Screen Orientation||lock screen orientation, detect changes||Implicit (foreground only)||Implicit (foreground only)||Implicit||Implicit||No||Rules regarding fullscreen and iframe ancestors|| |
| |} | |
| | |
| ===Untrusted Web Apps===
| |
| {| border="1"
| |
| ! API!!Action!!Explicit!!Visual Indicator!!Mitigations
| |
| |- | | |- |
| | Screen Orientation||Lock screen orientation||No||No|| | | | WebSMS||All SMS APIs||||||Explicit (prompt)||Implicit||No||Open question: can trusted app register as a SMS handler. Can\'t replace certified SMS app|| |
| |- | | |- |
| | Vibration API||||No||No|| | | | TCP Socket API||Connect to TCP socket||||||Implicit||Implicit||No||Open question for trusted apps: port/address limitations? Connect only? No listen?|| |
| |- | | |- |
| | IdleAPI||Detect user inactive||Yes||No||Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference. | | | UDP Datagram Socket API||Low-level UDP API||||||Implicit||Implicit||No|||| |
| |- | | |- |
| | ResourceLock API||Prevent the screen from being dimmed or switched off||No||No|| | | | WebTelephony||All Web Telephony APIs||||||Implicit||Implicit||Yes||Can\'t replace certified dialer|| |
| |- | | |- |
| | Geolocation API||Obtain current location of user||Yes|||| | | | Alarm API||Schedule a notification, or for an application to be started, at a specific time.||||||||Implicit||No|||| |
| |- | | |- |
| | Mouse Lock API||Lock access to mouse and get access to movement deltas rather than coordinates.||Yes||No|| | | | Background services||Enable a web application to run in the background and perform tasks like syncing or respond to incoming messages.||||||||Implicit||No||Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference.|| |
| |- | | |- |
| | Network Information API||Get basic information about current network connectivity.||No||No|| | | | Browser API||Enables implementing a browser completely in web technologies.||||||||Implicit||No|||| |
| |- | | |- |
| | Battery Status API||Information about battery charge level and if device is plugged in.||No||No|| | | | Calendar API||Add/Read/Modify to the device calendar.||||||||Implicit||No|||| |
| |} | |
| | |
| ===Trusted Web Apps===
| |
| {| border="1"
| |
| ! API!!Action!!Explicit!!Visual Indicator!!Mitigations
| |
| |- | | |- |
| | Screen Orientation||Lock screen orientation||No||No|| | | | Camera API||This is part of the larger WebRTC effort. This is a big piece of work so see the link.||||||||Implicit||No|||| |
| |- | | |- |
| | WebTelephony||All Web Telephony APIs||No||Yes||Can\'t replace certified dialer | | | Contacts API||Add/Read/Modify the device contacts address book.||||||||Implicit||No|||| |
| |- | | |- |
| | Vibration API||||No||No|| | | | Device Capabilities API||Check if the device has certain capabilities, such as front-facing camera, gps, etc.||||||||Implicit||No|||| |
| |- | | |- |
| | WebSMS||All SMS APIs||Yes||No||Open question: can trusted app register as a SMS handler. Can\'t replace certified SMS app | | | Device Storage API||Add/Read/Modify files stored on a central location on the device. For example the \"pictures\" folder on modern desktop platforms or the photo storage in mobile devices.||||||||Implicit||No|||| |
| |- | | |- |
| | IdleAPI||Detect user inactive||No||No||Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference. | | | HTTP-cache API||Query what\'s stored in the browsers http-cache. Add/remove entries. Update expiration time. Get data directly from cache.||||||||Implicit||No|||| |
| |- | | |- |
| | ResourceLock API||Prevent the screen from being dimmed or switched off||No||No|| | | | Keyboard/IME API||Enables implementing virtual keyboards.||||||||Implicit||No|||| |
| |- | | |- |
| | TCP Socket API||Connect to TCP socket||No||No||Open question: port/address limitations? Connect only? No listen? | | | LogAPI ||Allows to register the user activity on the phone. ||||||||Implicit||No|||| |
| |- | | |- |
| | Geolocation API||Obtain current location of user||Yes||Yes|| | | | MobileConnection API||This exposes information about the current mobile voice and data connection to (certain) HTML content.||||||||Implicit||No|||| |
| |- | | |- |
| | UDP Datagram Socket API||Low-level UDP API||No||No|| | | | PowerManagementAPI||Turn on/off screen, cpu, device power, etc. Listen and inspect resource lock events.||||||||Implicit||No|||| |
| |- | | |- |
| | Sensor API||Access to device sensors such as accelerometer, magnetic field (compass), proximity, ambient light etc.|||||| | | | Push Notifications API||Allow the platform to send notification messages to specific applications.||||||||Implicit||No|||| |
| |- | | |- |
| | Mouse Lock API||Lock access to mouse and get access to movement deltas rather than coordinates.||No||No|| | | | Sensor API||Access to device sensors such as accelerometer, magnetic field (compass), proximity, ambient light etc.||||||||Implicit||No|||| |
| |- | | |- |
| | Network Information API||Get basic information about current network connectivity.||No||No|| | | | Settings API||API to configure device settings||||||||Implicit||No|||| |
| |- | | |- |
| | Battery Status API||Information about battery charge level and if device is plugged in.||No||No|| | | | Time/Clock API||Set current time. Timezone will go in the Settings API.||||||||Implicit||No|||| |
| |- | | |- |
| | Contacts API||Add/Read/Modify the device contacts address book.||No||No|| | | | USB file-reading API||Add/Read/Modify files stored on memory cards and USB keys connected to the device. Get notified when storage devices are connected/disconnected. Will be very similar to the Device Storage API above with a few additional methods.||||||||Implicit||No|||| |
| |- | | |- |
| | Camera API||This is part of the larger WebRTC effort. This is a big piece of work so see the link.||No||No|| | | | WebBluetooth||Low level access to Bluetooth hardware.||||||||Implicit||No|||| |
| |- | | |- |
| | WiFi API|| Enumerate available WiFi networks, associate with a network etc.||Yes||No|| | | | WebNFC||Low level access to NFC hardware. So far focusing on NDEF support.||||||||Implicit||No|||| |
| |} | |
| | |
| | |
| ===Certified Web Apps===
| |
| {| border="1"
| |
| ! API!!Action!!Explicit!!Visual Indicator!!Mitigations
| |
| |- | | |- |
| | Screen Orientation||Lock screen orientation||No||No|| | | | WebUSB||Low level access to USB hardware.||||||||Implicit||No|||| |
| |- | | |- |
| | WebSMS||All SMS APIs||No||No|| | | | WiFi Information API|| Enumerate available WiFi networks, get signal strength and name of currently connected network, etc.||||||||Implicit||No|||| |
| |-
| |
| | WebTelephony||All Web Telephony APIs||No||Yes||
| |
| |-
| |
| | Vibration API||||No||No||
| |
| |-
| |
| | IdleAPI||Detect user inactive||No||No||Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference.
| |
| |-
| |
| | Settings API||API to configure device settings||No||No||
| |
| |-
| |
| | ResourceLock API||Prevent the screen from being dimmed or switched off||No||No||
| |
| |-
| |
| | PowerManagementAPI||Turn on/off screen, cpu, device power, etc. Listen and inspect resource lock events.||No||No||
| |
| |-
| |
| | MobileConnection API||This exposes information about the current mobile voice and data connection to (certain) HTML content.||No||No||
| |
| |-
| |
| | TCP Socket API||Create raw TCP Sockets||No||No||
| |
| |-
| |
| | Geolocation API||Obtain current location of user||No||Yes||
| |
| |-
| |
| | UDP Datagram Socket API||||No||No||
| |
| |-
| |
| | Sensor API||Access to device sensors such as accelerometer, magnetic field (compass), proximity, ambient light etc.||No||No||
| |
| |-
| |
| | WiFi API|| Enumerate available WiFi networks, associate with a network etc.||No||No||
| |
| |-
| |
| | Device Storage API||Add/Read/Modify files stored on a central location on the device. For example the \"pictures\" folder on modern desktop platforms or the photo storage in mobile devices.||No||No||
| |
| |-
| |
| | USB file-reading API||Add/Read/Modify files stored on memory cards and USB keys connected to the device. Get notified when storage devices are connected/disconnected. Will be very similar to the Device Storage API above with a few additional methods.||No||No||
| |
| |-
| |
| | Contacts API||Add/Read/Modify the device contacts address book.||No||No||
| |
| |-
| |
| | Camera API||This is part of the larger WebRTC effort. This is a big piece of work so see the link.||No||No||
| |
| |-
| |
| | Peer to Peer API||This is part of the larger WebRTC effort. This is a big piece of work so see the link.||No||No||
| |
| |-
| |
| | Mouse Lock API||Lock access to mouse and get access to movement deltas rather than coordinates.||No||No||
| |
| |-
| |
| | Open WebApps||Install web apps and manage installed webapps. Also allows an installed webapp to get payment information. Everything needed to build a Opeb WebApps app store.||No||No||
| |
| |-
| |
| | WebNFC||Low level access to NFC hardware. So far focusing on NDEF support.||No||No||
| |
| |-
| |
| | WebBluetooth||Low level access to Bluetooth hardware.||No||No||
| |
| |-
| |
| | WebUSB||Low level access to USB hardware.||No||No||
| |
| |-
| |
| | Network Information API||Get basic information about current network connectivity.||No||No||
| |
| |-
| |
| | Battery Status API||Information about battery charge level and if device is plugged in.||No||No||
| |
| |-
| |
| | HTTP-cache API||Query what\'s stored in the browsers http-cache. Add/remove entries. Update expiration time. Get data directly from cache.||No||No||
| |
| |-
| |
| | Alarm API||Schedule a notification, or for an application to be started, at a specific time.||No||No||
| |
| |-
| |
| | Browser API||Enables implementing a browser completely in web technologies.||No||No||
| |
| |-
| |
| | Time/Clock API||Set current time. Timezone will go in the Settings API.||No||No||
| |
| |-
| |
| | Calendar API||Add/Read/Modify to the device calendar.||No||No||
| |
| |-
| |
| | Intents/Activities/Actions||Have a problem? This API will be able solve it.||No||No||
| |
| |-
| |
| | Device Capabilities API||Check if the device has certain capabilities, such as front-facing camera, gps, etc.||No||No||
| |
| |-
| |
| | Keyboard/IME API||Enables implementing virtual keyboards.||No||No||
| |
| |-
| |
| | Spellcheck API||Enable webpages to check if a piece of text is correctly spelled as well as get suggestions for corrections.||No||No||
| |
| |-
| |
| | Background services||Enable a web application to run in the background and perform tasks like syncing or respond to incoming messages.||No||No||
| |
| |- | |
| | Push Notifications API||Allow the platform to send notification messages to specific applications.||No||No|| | |
| |-
| |
| | LogAPI ||Allows to register the user activity on the phone. ||No||No||
| |
| |} | | |} |