MozillaWiki

WebAPI/Security/NetworkInfo: Difference between revisions

< WebAPI‎ | Security
No edit summary
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Name of API: Network Information API Sec
==Network Information API ==


References: <br>
Brief purpose of API: Allow content to understand if current network connectivity is metered in order to allow apps to limit consumption.  
https://bugzilla.mozilla.org/show_bug.cgi?id=677166<br>
https://wiki.mozilla.org/WebAPI/NetworkAPI


Brief purpose of API: Allow content to understand if current network connectivity is metered in order to allow apps to limit consumption
API Endpoint: navigator.connection.*


General Use Cases:  
General Use Cases:  
Line 13: Line 11:
Inherent threats: Privacy (de-anonymize users based on connection change
Inherent threats: Privacy (de-anonymize users based on connection change
events?)
events?)
References:
*https://bugzilla.mozilla.org/show_bug.cgi?id=677166
*https://wiki.mozilla.org/WebAPI/NetworkAPI
*http://groups.google.com/group/mozilla.dev.webapi/browse_thread/thread/464d2a5ca3ed0e05/68e2de5b987f28d9


Threat severity: Low
Threat severity: Low


== Regular web content (unauthenticated) ==
=== Permissions Table===
Use cases for unauthenticated code: Read current bandwidth estimate or
ask if connection is metered
 
Authorization model for normal content: Implicit
 
Authorization model for installed content: Implicit
 
Potential mitigations: Maybe fuzz the exact time of the network change
event in a similar manner to idle API.
 
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: As above
 
Use cases for trusted code: As above
 
Potential  mitigations: As above
 
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: As above


Authorization model: As above
{| border="1" class="wikitable"
! Type
! Use Cases
! Authorization Model
! Notes & Other Controls
|-
| Web Content || As per general use cases above. || No permission required
|-
| Installed Web Apps || As per general use cases above. || No permission required
|-
| Privileged Web Apps || As per general use cases above. || No permission required
|-
| Certified Web Apps || As per general use cases above. || No permission required
|}


Potential mitigations: As above
[[Category:Web APIs]]
[[Category:Security]]

Latest revision as of 23:41, 1 October 2014

Network Information API

Brief purpose of API: Allow content to understand if current network connectivity is metered in order to allow apps to limit consumption.

API Endpoint: navigator.connection.*

General Use Cases:

  • Read current bandwidth estimate or ask if connection is metered
  • Listen for connection change events

Inherent threats: Privacy (de-anonymize users based on connection change events?)

References:

Threat severity: Low

Permissions Table

Type Use Cases Authorization Model Notes & Other Controls
Web Content As per general use cases above. No permission required
Installed Web Apps As per general use cases above. No permission required
Privileged Web Apps As per general use cases above. No permission required
Certified Web Apps As per general use cases above. No permission required
Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/NetworkInfo&oldid=1021341"