Name of API: Screen Orientation
Reference: bug 720794 bug 673922
Security Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/285ab0bebdad0b7d/9b7ba31dc934014f
Brief purpose of API: Get notification when screen orientation changes as well as lock the screen orientation
Inherent threats: minor information leakage (device orientation), minor user inconvenience (lock device orientation)
Threat severity: low per https://wiki.mozilla.org/Security_Severity_Ratings
Regular web content (unauthenticated)
Use cases for unauthenticated code: Prevent screen orientation from changing when playing a game utilizing device motion. Switch screen orientation when switching between different parts of an app (i.e. from playlist to video playback). API wise, this means detecting orientation and setting/locking orientation.
Authorization model for normal content: implicit for detecting orientation, implicit for locking/setting orientation in fullscreen only
Authorization model for installed content: implicit for both
Potential mitigations: As mentioned, normal content can only set/lock orientation in fullscreen. Only top-level content can set/lock.
Trusted (authenticated by publisher)
Use cases for authenticated code: Same as unauthenticated
Authorization model: implicit
Potential mitigations: None
Certified (vouched for by trusted 3rd party)
Use cases for certified code: Same as above
Authorization model: Same as above
Potential mitigations: None