WebAPI/Security/TCPSocket: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) No edit summary |
Ptheriault (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
== Socket API == | |||
Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc | Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc | ||
| Line 12: | Line 8: | ||
Threat severity: High | Threat severity: High | ||
Reference | |||
*https://bugzilla.mozilla.org/show_bug.cgi?id=733573 | |||
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Asm37KDoVB4/discussion | |||
=== Permissions Table=== | === Permissions Table=== | ||
Revision as of 12:26, 24 September 2012
Socket API
Brief purpose of API: Grant full access to raw sockets to allow applications such as SMTP clients etc
General Use Cases: None
Inherent threats: Malicious apps attacking internal systems (firewall bypass), local device access
Threat severity: High
Reference
- https://bugzilla.mozilla.org/show_bug.cgi?id=733573
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Asm37KDoVB4/discussion
Permissions Table
| Type | Use Cases | Authorization Model | Notes & Other Controls |
|---|---|---|---|
| Web Content | None | No access | |
| Installed Web Apps | None | No access | |
| Privileged Web Apps | Talk to non-HTTP services. SSH, FTP, mail clients, supporting custom protocols | Implicit |
|
| Certified Web Apps | Open a connection to any domain/port | Implicit | specify hosts/ports in the manifest, permissions granted implicitly and not able to be revoked (unless device is in developer mode) |