WebAPI/Security/NetworkInfo: Difference between revisions

Revision as of 11:21, 25 June 2012

Name of API: Network Information API Sec

References:

Brief purpose of API: Allow content to understand if current network connectivity is metered in order to allow apps to limit consumption

General Use Cases:

Inherent threats: Privacy (de-anonymize users based on connection change events?)

Threat severity: Low

Use cases for unauthenticated code: Read current bandwidth estimate or ask if connection is metered

Authorization model for normal content: Implicit

Authorization model for installed content: Implicit

Potential mitigations: Maybe fuzz the exact time of the network change event in a similar manner to idle API.

Use cases for authenticated code: As above

Use cases for trusted code: As above

Potential mitigations: As above

Use cases for certified code: As above

Authorization model: As above

Potential mitigations: As above

@@ Line 1: / Line 1: @@
 Name of API: Network Information API Sec
-References: <br>
+References:
-https://bugzilla.mozilla.org/show_bug.cgi?id=677166<br>
+*https://bugzilla.mozilla.org/show_bug.cgi?id=677166
-https://wiki.mozilla.org/WebAPI/NetworkAPI
+*https://wiki.mozilla.org/WebAPI/NetworkAPI
+*http://groups.google.com/group/mozilla.dev.webapi/browse_thread/thread/464d2a5ca3ed0e05/68e2de5b987f28d9
 Brief purpose of API: Allow content to understand if current network connectivity is metered in order to allow apps to limit consumption