WebAPI/Security/Vibration

Name of API: Vibration Reference: http://dev.w3.org/2009/dap/vibration/

Brief purpose of API: Let content activate the vibration motor

Inherent threats: Obnoxious if mis-used, consume extra battery

Threat severity: low

Regular web content (unauthenticated)

Use cases for unauthenticated code: Vibrate when hit in a game

Authorization model for uninstalled web content: Implicit

Authorization model for installed web content: Implicit

Potential mitigations: Limit how long vibrations can run. Only foreground content can trigger vibration.

Trusted (authenticated by publisher)

Use cases for authenticated code:[Same]

Authorization model: Implicit

Potential mitigations:

Certified (vouched for by trusted 3rd party)

Use cases for certified code:

Authorization model: Implicit

Potential mitigations:

Notes: This API may be implicitly granted. User can deny from Permission Manager to over-ride an abusive app. Since only foreground content can trigger vibrator, this seems equivalent to other potentially annoying feedback mechanisms and should be implicit for uninstalled web content.