Web Bluetooth API
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=674737
- https://wiki.mozilla.org/WebAPI/WebBluetooth
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/ztmSvKP3Z8U/discussion
Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices. This includes setting properties on adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.
General Use Cases:
Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state
Threat severity: High
Regular web content (unauthenticated)
Use cases: None
Authorization model for normal content: None
Authorization model for installed content: None
Potential mitigations:
Privileged (approved by app store)
Use cases: None
Authorization model: None
Potential mitigations:
Certified (system-critical apps)
Use cases:
- Read bluetooth adapter state
- Start/Stop device discovery
- List discoverd devices
- Pair with device
Authorization model: Implicit
Potential mitigations: Status indicator showing active bluetooth connection, user can click the status indicator to cancel the connection. Any limit on types of devices?
Notes
Non-certified use cases are out of scope for 1.0. We will consider those for a subsequent release.