Paul Theriault
unread,May 9, 2012, 2:57:27 PM5/9/12You do not have permission to delete messages in this group
Sign in to report message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-w...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, Mozilla B2G mailing list
(Please reply-to
dev-w...@lists.mozilla.org)
Name of API: Network Information API Sec
Reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=677166
https://wiki.mozilla.org/WebAPI/NetworkAPI
Brief purpose of API:
General Use Cases:
Read current bandwidth estimate or ask if connection is metered
Listen for connection change events
Inherent threats: Privacy (de-anonymize users based on connection change
events?)
Threat severity:Low
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code: Read current bandwidth estimate or
ask if connection is metered
Authorization model for normal content: Read current bandwidth estimate
or ask if connection is metered
Authorization model for installed content:
Potential mitigations: Maybe fuzz the exact time of the network change
event in a similar manner to idle API.
== Trusted (authenticated by publisher) ==
Use cases for authenticated code:As above
Use cases for trusted code:
Potential mitigations:
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: As above
Authorization model:
Potential mitigations: