WebAPI/Security/Idle: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 28: Line 28:
| Certified Web Apps || Notify an app if the user is idle. || Implicit
| Certified Web Apps || Notify an app if the user is idle. || Implicit
|}
|}
=== Regular web content (unauthenticated) ===
Use cases for unauthenticated code: None.
Authorization model for normal content: No Access.
*Installed Web Apps
**Use cases for unauthenticated code: None.
**Authorization model for normal content: No access.
*Privileged (approved by app store)
*Use cases for privileged code: None.
**Authorization model: No access.
=== Certified (system-critical apps) ===
Use cases for certified code: Notify an app if the user is idle <br>
Authorization model: Implicit <br>
Potential mitigations: Due to the privacy risks associated with this API, access is limited to certified applications. (See https://bugzilla.mozilla.org/show_bug.cgi?id=780507 for further detail).

Revision as of 02:04, 24 September 2012

Name of API: Idle API

References:

Brief purpose of API: Notify an app if the user is idle.
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).

Inherent threats:

  • Privacy implications
    • Signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
    • Could be used by a workplace to monitor activity by monitoring system idle

Threat severity: Low


Type Use Cases Authorization Model
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps None No access
Certified Web Apps Notify an app if the user is idle. Implicit
Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Idle&oldid=472912"