WebAPI/Security/ScreenOrientation: Difference between revisions
(Created page with "Name of API: Screen Orientation Reference: bug 720794 bug 673922 Security Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/285ab0bebdad0b7d/...") |
No edit summary |
||
| Line 1: | Line 1: | ||
Name of API: Screen Orientation | Name of API: Screen Orientation | ||
References: | |||
*{{bug|720794}} | |||
Security Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/285ab0bebdad0b7d/9b7ba31dc934014f | *{{bug|673922}} | ||
*Security Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/285ab0bebdad0b7d/9b7ba31dc934014f | |||
Brief purpose of API: Get notification when screen orientation changes as well as lock the screen orientation | Brief purpose of API: Get notification when screen orientation changes as well as lock the screen orientation | ||
| Line 9: | Line 10: | ||
Inherent threats: minor information leakage (device orientation), minor user inconvenience (lock device orientation) | Inherent threats: minor information leakage (device orientation), minor user inconvenience (lock device orientation) | ||
Threat severity: | Threat severity: Low per https://wiki.mozilla.org/Security_Severity_Ratings | ||
== Regular web content (unauthenticated) == | == Regular web content (unauthenticated) == | ||
Use cases for unauthenticated code: Prevent screen orientation from changing when playing a game utilizing device motion. Switch screen orientation when switching between different parts of an app (i.e. from playlist to video playback). API wise, this means detecting orientation and setting/locking orientation. | Use cases for unauthenticated code: Prevent screen orientation from changing when playing a game utilizing device motion. Switch screen orientation when switching between different parts of an app (i.e. from playlist to video playback). API wise, this means detecting orientation and setting/locking orientation. | ||
Authorization model for normal content: | Authorization model for normal content: Implicit for detecting orientation, implicit for locking/setting orientation in fullscreen only | ||
Authorization model for installed content: | Authorization model for installed content: Implicit for both | ||
Potential mitigations: As mentioned, normal content can only set/lock orientation in fullscreen. Only top-level content can set/lock. | Potential mitigations: As mentioned, normal content can only set/lock orientation in fullscreen. Only top-level content can set/lock. | ||
== | == Privileged (approved by app store) == | ||
Use cases for | Use cases for privileged code: Same as unauthenticated | ||
Authorization model: | Authorization model: Implicit | ||
Potential mitigations: None | Potential mitigations: None | ||
== Certified ( | == Certified (system-critical apps) == | ||
Use cases for certified code: Same as above | Use cases for certified code: Same as above | ||
Revision as of 21:33, 6 August 2012
Name of API: Screen Orientation
References:
- bug 720794
- bug 673922
- Security Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/285ab0bebdad0b7d/9b7ba31dc934014f
Brief purpose of API: Get notification when screen orientation changes as well as lock the screen orientation
Inherent threats: minor information leakage (device orientation), minor user inconvenience (lock device orientation)
Threat severity: Low per https://wiki.mozilla.org/Security_Severity_Ratings
Regular web content (unauthenticated)
Use cases for unauthenticated code: Prevent screen orientation from changing when playing a game utilizing device motion. Switch screen orientation when switching between different parts of an app (i.e. from playlist to video playback). API wise, this means detecting orientation and setting/locking orientation.
Authorization model for normal content: Implicit for detecting orientation, implicit for locking/setting orientation in fullscreen only
Authorization model for installed content: Implicit for both
Potential mitigations: As mentioned, normal content can only set/lock orientation in fullscreen. Only top-level content can set/lock.
Privileged (approved by app store)
Use cases for privileged code: Same as unauthenticated
Authorization model: Implicit
Potential mitigations: None
Certified (system-critical apps)
Use cases for certified code: Same as above
Authorization model: Same as above
Potential mitigations: None