WebAPI/Security/Sensor: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Replaced content with " API ON HOLD AS OF Sept 2012. Security model closed for now, reopen as needed in the future.")
Line 1: Line 1:
Name of API: Sensor API
          API ON HOLD AS OF Sept 2012. Security model closed for now, reopen as needed in the future.
Reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=697361
http://dvcs.w3.org/hg/dap/raw-file/tip/sensor-api/
 
Brief purpose of API: Let apps access environmental sensor data gathered by devices.
General Use Cases: None
 
Inherent threats:Privacy
 
Threat severity: Moderate
 
== Regular web content (unauthenticated) ==
Use  cases for unauthenticated code: Monitor environmental sensor data like temperature, barometer,  magnetic field,
*Authorization model for normal content: Implicit
*Authorization model for installed content: Implicit
*Potential mitigations: Only available to top-level content while focused, values throttled/fuzzed to prevent side-channel attacks where applicable. (e.g. password prediction via accelerometer)
 
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: Same
Use cases for trusted code: Implicit
Potential mitigations:
 
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code:
Backlight Dimming based on ambient light
Screen-off based on proximity
Authorization model: Implicit
Potential mitigations:
 
Note: Many device sensor and motion use cases already covered by DeviceOrientation / DeviceMotion API (http://dev.w3.org/geo/api/spec-source-orientation.html)

Revision as of 04:30, 24 September 2012

         API ON HOLD AS OF Sept 2012. Security model closed for now, reopen as needed in the future.
Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Sensor&oldid=472947"