WebAPI/Security/Sensor: Difference between revisions
Ptheriault (talk | contribs) (Created page with "Name of API: Sensor API Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=697361 http://dvcs.w3.org/hg/dap/raw-file/tip/sensor-api/ Brief purpose of API: Let apps access e...") |
Ptheriault (talk | contribs) |
||
| Line 13: | Line 13: | ||
== Regular web content (unauthenticated) == | == Regular web content (unauthenticated) == | ||
Use cases for unauthenticated code: Monitor environmental sensor data like temperature, barometer, magnetic field, | Use cases for unauthenticated code: Monitor environmental sensor data like temperature, barometer, magnetic field, | ||
Authorization model for normal content: Implicit | *Authorization model for normal content: Implicit | ||
Authorization model for installed content: Implicit | *Authorization model for installed content: Implicit | ||
Potential mitigations: Only available to top-level content while focused, values throttled/fuzzed to prevent side-channel attacks where applicable. (e.g. password prediction via accelerometer) | *Potential mitigations: Only available to top-level content while focused, values throttled/fuzzed to prevent side-channel attacks where applicable. (e.g. password prediction via accelerometer) | ||
== Trusted (authenticated by publisher) == | == Trusted (authenticated by publisher) == | ||
Revision as of 23:14, 18 June 2012
Name of API: Sensor API Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=697361 http://dvcs.w3.org/hg/dap/raw-file/tip/sensor-api/
Brief purpose of API: Let apps access environmental sensor data gathered by devices. General Use Cases: None
Inherent threats:Privacy
Threat severity: Moderate
Regular web content (unauthenticated)
Use cases for unauthenticated code: Monitor environmental sensor data like temperature, barometer, magnetic field,
- Authorization model for normal content: Implicit
- Authorization model for installed content: Implicit
- Potential mitigations: Only available to top-level content while focused, values throttled/fuzzed to prevent side-channel attacks where applicable. (e.g. password prediction via accelerometer)
Trusted (authenticated by publisher)
Use cases for authenticated code: Same Use cases for trusted code: Implicit Potential mitigations:
Certified (vouched for by trusted 3rd party)
Use cases for certified code: Backlight Dimming based on ambient light Screen-off based on proximity Authorization model: Implicit Potential mitigations:
Note: Many device sensor and motion use cases already covered by DeviceOrientation / DeviceMotion API (http://dev.w3.org/geo/api/spec-source-orientation.html)