Please reply-to
dev-w...@lists.mozilla.org
Name of API: Device Storage
Reference:
https://wiki.mozilla.org/WebAPI/DeviceStorageAPI
Brief purpose of API: Let content access files based on name and type.
Can be enumerated.
Inherent threats: Use excessive resources (file space), read files,
change or delete files. Files could potentially contain confidential
information.
Threat severity: high to critical - privacy concerns, loss of user data,
access to confidential data.
== Regular web content (unauthenticated) ==
Use cases for unauthenticated code: Access a previously taken profile
picture, select a song to play.
Authorization model for uninstalled web content: Explicit (OS Mediated)
Authorization model for installed web content: Explicit (OS Mediated)
Potential mitigations: Make sure the user knows what files is being
accessed when asking permission. No option to remember permission. OS
mediated interface (like file picker - via intents?).
== Trusted (authenticated by publisher) ==
Use cases for authenticated code: Photo gallery
Authorization model:
Implicit: Create (e.g. camera saving a photo to the camera roll)
Explicit: Read, Modify (delete,rename,overwrite,edit)
Potential mitigations: Granting permission only for a particular type of
file (images, pdf, etc).
== Certified (vouched for by trusted 3rd party) ==
Use cases for certified code: File manager
Authorization model: Implicit
Potential mitigations:
Notes: Permission should be given on a type basis. So giving
permission to access music doesn't automatically give permission to
photos. If the type is a string literal when the code is reviewed, that
would mitigate the issue. Otherwise sub-permissions for types
(device-storage.music) or separate permissions for each type
(device-storage-music) would be needed. Also has the benefit that it
allows the permission prompt to be more explicit about what is being
granted.