Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

WebAPI Security Discussion: Keyboard API

0 views
Skip to first unread message

Lucas Adamski

unread,
May 9, 2012, 2:17:54 PM5/9/12
to dev-w...@lists.mozilla.org, dev-w...@lists.mozilla.org, dev-se...@lists.mozilla.org, dev-b2g
Please reply-to dev-w...@lists.mozilla.org

Name of API: Keyboard API
Reference:
See: https://groups.google.com/d/topic/mozilla.dev.webapi/Vs3-HGv9NNw/discussion

Brief purpose of API: Allow virtual keyboard to be implemented as a Web App
General Use Cases:
*Replace the installed keyboard with a different one
*Choose what keyboard is shown (numeric, alphanumeric, symbols, first letter capiltaized etc)

Inherent threats: Access to user keystrokes (steal passwords, bank account details, etc), send trusted key events
Threat severity: high

== Regular web content (unauthenticated) ==
Use cases for unauthenticated code: Request which keyboard [type?] is displayed
Authorization model for uninstalled web content: implicit for focused top-level content
Authorization model for installed web content: implicit
Potential mitigations: Request keyboard [type] only.

== Trusted (authenticated by publisher) ==
Use cases for authenticated code: Implement new keyboard.
Authorization model: Implicit
Potential mitigations:

== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: Implement new keyboard
Authorization model: Implicit
Potential mitigations: None

Notes: Obtain user confirmation at install time (i.e. "Install this keyboard?"). Keyboard apps have unique store review requirement.

0 new messages