Apps/Security/Permissions
Jump to navigation
Jump to search
Note: Please do not edit this page. Share your ideas in dev-webapps@lists.mozilla.org or Apps/Security/Discussion instead
Permissions
The table below shows the list of permissions associated with new Web APIs.
Note: this table does not include functionality provided to apps via web activities.
| API | Action | Web Content | Untrusted App | Trusted App | Certified App | Visual Indicator | Mitigations | Notes |
|---|---|---|---|---|---|---|---|---|
| Geolocation API | Obtain current location of user | Explicit (prompt) | Explicit (prompt) | Explicit (prompt) | Implicit | Yes | ||
| IdleAPI | Detect user inactive | Explicit (prompt) | Explicit (prompt) | Implicit | Implicit | No | Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference. | |
| Battery Status API | Information about battery charge level and if device is plugged in. | Implicit | Implicit | Implicit | Implicit | No | ||
| Network Information API | Get basic information about current network connectivity. | Implicit | Implicit | Implicit | Implicit | No | ||
| ResourceLock API | Prevent the screen from being dimmed or switched off | Implicit | Implicit | Implicit | Implicit | No | ||
| Vibration API | Implicit | Implicit | Implicit | Implicit | Limit how long vibrations can run. Only foreground content can trigger vibration. | |||
| Screen Orientation | lock screen orientation, detect changes | Implicit (foreground only) | Implicit (foreground only) | Implicit | Implicit | No | Rules regarding fullscreen and iframe ancestors | |
| WebSMS | All SMS APIs | Explicit (prompt) | Implicit | No | Open question: can trusted app register as a SMS handler. Can\'t replace certified SMS app | |||
| TCP Socket API | Connect to TCP socket | Implicit | Implicit | No | Open question for trusted apps: port/address limitations? Connect only? No listen? | |||
| UDP Datagram Socket API | Low-level UDP API | Implicit | Implicit | No | ||||
| WebTelephony | All Web Telephony APIs | Implicit | Implicit | Yes | Can\'t replace certified dialer | |||
| Alarm API | Schedule a notification, or for an application to be started, at a specific time. | Implicit | No | |||||
| Background services | Enable a web application to run in the background and perform tasks like syncing or respond to incoming messages. | Implicit | No | Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference. | ||||
| Browser API | Enables implementing a browser completely in web technologies. | Implicit | No | |||||
| Calendar API | Add/Read/Modify to the device calendar. | Implicit | No | |||||
| Camera API | This is part of the larger WebRTC effort. This is a big piece of work so see the link. | Implicit | No | |||||
| Contacts API | Add/Read/Modify the device contacts address book. | Implicit | No | |||||
| Device Capabilities API | Check if the device has certain capabilities, such as front-facing camera, gps, etc. | Implicit | No | |||||
| Device Storage API | Add/Read/Modify files stored on a central location on the device. For example the \"pictures\" folder on modern desktop platforms or the photo storage in mobile devices. | Implicit | No | |||||
| HTTP-cache API | Query what\'s stored in the browsers http-cache. Add/remove entries. Update expiration time. Get data directly from cache. | Implicit | No | |||||
| Keyboard/IME API | Enables implementing virtual keyboards. | Implicit | No | |||||
| LogAPI | Allows to register the user activity on the phone. | Implicit | No | |||||
| MobileConnection API | This exposes information about the current mobile voice and data connection to (certain) HTML content. | Implicit | No | |||||
| PowerManagementAPI | Turn on/off screen, cpu, device power, etc. Listen and inspect resource lock events. | Implicit | No | |||||
| Push Notifications API | Allow the platform to send notification messages to specific applications. | Implicit | No | |||||
| Sensor API | Access to device sensors such as accelerometer, magnetic field (compass), proximity, ambient light etc. | Implicit | No | |||||
| Settings API | API to configure device settings | Implicit | No | |||||
| Time/Clock API | Set current time. Timezone will go in the Settings API. | Implicit | No | |||||
| USB file-reading API | Add/Read/Modify files stored on memory cards and USB keys connected to the device. Get notified when storage devices are connected/disconnected. Will be very similar to the Device Storage API above with a few additional methods. | Implicit | No | |||||
| WebBluetooth | Low level access to Bluetooth hardware. | Implicit | No | |||||
| WebNFC | Low level access to NFC hardware. So far focusing on NDEF support. | Implicit | No | |||||
| WebUSB | Low level access to USB hardware. | Implicit | No | |||||
| WiFi Information API | Enumerate available WiFi networks, get signal strength and name of currently connected network, etc. | Implicit | No |