Name of API: Idle API
References:
- https://wiki.mozilla.org/WebAPI/IdleAPI
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Wxgz7_LKD40/discussion
Brief purpose of API: Notify an app if the user is idle
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).
Inherent threats:
- Privacy implications
- signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
- Could be used by a workplace to monitor activity by monitoring system idle
Threat severity: Low
Regular web content (unauthenticated)
Use cases for unauthenticated code: Idle detection for IM or IRC clients.
Authorization model for normal content: None
Authorization model for installed web content: None
Potential mitigations:
- Exact time user goes idle can be fuzzed so as to reduce correlation
- Provide only page idle not system idle, where privacy is a concern
Privileged (approved by app store)
Use cases for privileged code: N/A
Authorization model: None
Potential mitigations: None
Certified (system-critical apps)
Use cases for certified code: As per unauthenticated
Authorization model: Implicit
Potential mitigations: Implicit