Please reply-to dev-webapps.
Yes, its a bit odd to be discussion a mature API but we should make explicit its behavior for install applications.
Name of API: Geolocation API
Reference: _
https://developer.mozilla.org/En/Using_geolocation_
Brief purpose of API: Obtain current location of user
General Use Cases: Mapping applications, GPS navigation, geotagging
Inherent threats:
* Leakage of user's current location to app
* Leakage of user's current location to 3rd party geolocation service
* Profiling of user behavior
Threat severity: Moderate
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code: Same
Authorization model for normal content: Explicit (default to not remember)
Authorization model for installed content:Explicit (default to... ?)
Potential mitigations: UI indicator for active geolocation with a path for user to disable
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: Same
Authorization model: Explicit (default to... ?)
Potential mitigations: Same
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Device theft recovery; same
Authorization model: Implicit
Potential mitigations: Same (tho do we want UI indicator in case of theft?)