MozillaWiki

WebAPI/Security/WebTelephony: Difference between revisions

Page Discussion

WebAPI/Security/WebTelephony (view source)

Revision as of 13:09, 24 September 2012

262 bytes removed ,  24 September 2012
no edit summary
No edit summary
Line 1: Line 1:
Name of API: WebTelephony
== WebTelephony ==


Brief purpose of API: Make and receive phone calls
Brief purpose of API: Make and receive phone calls
*WebAPI: https://wiki.mozilla.org/WebAPI/WebTelephony
*B2G Meta telephony bug: https://bugzilla.mozilla.org/show_bug.cgi?id=699235
*Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/34LUf50tpKA/discussion


General Use Cases: None
General Use Cases: None
Line 19: Line 14:
Threat severity: high to critical, confidential information disclosure and direct financial risk
Threat severity: high to critical, confidential information disclosure and direct financial risk


== Regular web content (unauthenticated) ==
References:
Use cases for unauthenticated code: click on a phone number in an email or browser to dial
*WebAPI: https://wiki.mozilla.org/WebAPI/WebTelephony
*B2G Meta telephony bug: https://bugzilla.mozilla.org/show_bug.cgi?id=699235
*Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/34LUf50tpKA/discussion


Authorization model for uninstalled web content: Explicit via web activities
{| border="1" class="wikitable"
 
! Type
Authorization model for installed web content: Explicit via web activities
! Use Cases
 
! Authorization Model
Potential mitigations: When user clicks on a phone number, app triggers a web activity to initiate the call.  User interaction required to trigger.
! Notes & Other Controls
 
|-
== Privileged (approved by app store) ==
| Web Content || click on a phone number in an email or browser to dial || No direct access (access via web activities) || When user clicks on a phone number, app triggers a web activity to initiate the call.  User interaction required to trigger.
Use cases for privileged code: As per regular web app.
|-
 
| Installed Web Apps || As Above || No direct access (access via web activities) || As above.
Authorization model: Explicit (web activities)
|-
 
| Privileged Web Apps || As Above || No direct access (access via web activities) || As above.
Potential mitigations: When user clicks on a phone number, app triggers a web activity to initiate the call. User interaction required to trigger.
|-
 
| Certified Web Apps ||
== Certified (system-critical applications) ==
Use cases for certified code:
* Handler for telephony web activities
* Handler for telephony web activities
* Replacement dialer
* Replacement dialer
* Voice conference software (e.g. connect Voip with a mobile call)?
* Voice conference software (e.g. connect Voip with a mobile call)?
* Mediate incoming calls (accept/reject/merge)
* Mediate incoming calls (accept/reject/merge)
* Query transceiver state
* Query transceiver state  
 
|| Implicit
Authorization model: Implicit
|}
 
__NOTOC__
Potential mitigations: None
Ptheriault
canmove, Confirmed users
1,220

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/472985"