info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
WebAPI Security Discussion: Permission API
29 views
Skip to first unread message
Lucas Adamski
May 8, 2012, 7:47:47 PM5/8/12
to dev-w...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, dev-b2g
Please reply-to dev-w...@lists.mozilla.org
Name of API: Permission API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=707625
Brief purpose of API: Allow an app to manage app permissions in a centralized location
General Use Cases: None
Inherent threats: Change security and privacy permissions, potentially leading to device compromise
Threat severity: Critical
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code:None
Authorization model for normal content: None
Authorization model for installed content: None
Potential mitigations:
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: None
Use cases for trusted code: None
Potential mitigations:
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Centralized permissions management app; modify per-app settings
Authorization model: Implicit
Potential mitigations: None
Note: We are not exposing permission settings to non-certified apps. Apps cannot determine their current settings without actually requesting a permission.
Name of API: Permission API
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=707625
Brief purpose of API: Allow an app to manage app permissions in a centralized location
General Use Cases: None
Inherent threats: Change security and privacy permissions, potentially leading to device compromise
Threat severity: Critical
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code:None
Authorization model for normal content: None
Authorization model for installed content: None
Potential mitigations:
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: None
Use cases for trusted code: None
Potential mitigations:
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Centralized permissions management app; modify per-app settings
Authorization model: Implicit
Potential mitigations: None
Note: We are not exposing permission settings to non-certified apps. Apps cannot determine their current settings without actually requesting a permission.
pther...@mozilla.com
Jun 4, 2012, 1:55:17 AM6/4/12
to mozilla-d...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, dev-b2g
0 new messages