WebAPI/Security/TCPSocket: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 32: Line 32:
| Certified Web Apps || Open a connection to any domain/port || Implicit || specify hosts/ports in the manifest, permissions granted implicitly and not able to be revoked (unless device is in developer mode)
| Certified Web Apps || Open a connection to any domain/port || Implicit || specify hosts/ports in the manifest, permissions granted implicitly and not able to be revoked (unless device is in developer mode)
|}
|}
[[Category:Web APIs]]
[[Category:Security]]

Latest revision as of 23:42, 1 October 2014

Socket API

Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc

General Use Cases: None

Inherent threats: Malicious apps attacking internal systems (firewall bypass), local device access

Threat severity: High

Reference

Permissions Table

Type Use Cases Authorization Model Notes & Other Controls
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps Talk to non-HTTP services. SSH, FTP, mail clients, supporting custom protocols Implicit
  • Firewall should prohibit access to privileged low number OS ports (<1024).
  • Listening on a port < 1024 should be prohibited.
  • Specify hosts/ports in the manifest, permissions granted implicitly.
Certified Web Apps Open a connection to any domain/port Implicit specify hosts/ports in the manifest, permissions granted implicitly and not able to be revoked (unless device is in developer mode)