WebAPI/Security/Idle

From MozillaWiki
< WebAPI‎ | Security
Revision as of 21:49, 1 August 2012 by Ladamski (talk | contribs)
Jump to navigation Jump to search

Name of API: Idle API Reference: https://wiki.mozilla.org/WebAPI/IdleAPI

Brief purpose of API: Notify an app if the user is idle General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program)

Inherent threats:

  • Privacy implication
    • signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
    • Could be used by a workplace to monitor activity by monitoring system idle

Threat severity: Low

Regular web content (unauthenticated)

Use cases for unauthenticated code: IM chats that need to detect when user is AFK.

Authorization model for normal content: None

Authorization model for installed web content: None

Potential mitigations:

  • Exact time user goes idle can be fuzzed so as to reduce correlation
  • Provide only page idle not system idle, where privacy is a concern

Trusted (authenticated by publisher)

Use cases for authenticated code: As per unauthenticated

Authorization model: Implicit

Potential mitigations: Implicit

Certified (vouched for by trusted 3rd party)

Use cases for certified code: As per unauthenticated

Authorization model: Implicit

Potential mitigations: Implicit

Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/Idle&oldid=457197"