WebAPI/Security/ScreenOrientation

From MozillaWiki
< WebAPI‎ | Security
Revision as of 21:33, 6 August 2012 by Ladamski (talk | contribs)
Jump to navigation Jump to search

Name of API: Screen Orientation

References:

Brief purpose of API: Get notification when screen orientation changes as well as lock the screen orientation

Inherent threats: minor information leakage (device orientation), minor user inconvenience (lock device orientation)

Threat severity: Low per https://wiki.mozilla.org/Security_Severity_Ratings

Regular web content (unauthenticated)

Use cases for unauthenticated code: Prevent screen orientation from changing when playing a game utilizing device motion. Switch screen orientation when switching between different parts of an app (i.e. from playlist to video playback). API wise, this means detecting orientation and setting/locking orientation.

Authorization model for normal content: Implicit for detecting orientation, implicit for locking/setting orientation in fullscreen only

Authorization model for installed content: Implicit for both

Potential mitigations: As mentioned, normal content can only set/lock orientation in fullscreen. Only top-level content can set/lock.

Privileged (approved by app store)

Use cases for privileged code: Same as unauthenticated

Authorization model: Implicit

Potential mitigations: None

Certified (system-critical apps)

Use cases for certified code: Same as above

Authorization model: Same as above

Potential mitigations: None

Retrieved from "https://wiki.allizom.org/index.php?title=WebAPI/Security/ScreenOrientation&oldid=458298"