Re: WebAPI Security Discussion:Battery API

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: WebAPI Security Discussion:Battery API

Paul Theriault
Final call for comments on this API. Please reply to [hidden email] before COB Jun 4.

On Thursday, 10 May 2012 05:02:49 UTC+10, [hidden email]  wrote:

> (Please reply-to [hidden email])
>
> Name of API: Battery API
> Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=678694
> http://dvcs.w3.org/hg/dap/raw-file/tip/battery/Overview.html
>
> Note from spec:
> The API defined in this specification is used to determine the battery
> status of the hosting device. The information disclosed has minimal
> impact on privacy or fingerprinting, and therefore is exposed without  
> permission grants. For example, authors cannot directly know if there is
> a battery or not in the hosting device.
>
> Brief purpose of API:
> General Use Cases:Adjust app behavior based upon power status
>
> Inherent threats:Fingerprinting, abuse of battery?
>
> Threat severity:low
>
> == Regular web content (unauthenticated) ==
> Use  cases:Same
> Authorization model for normal content: Implicit
> Authorization model for installed content: Implicit
> Potential mitigations: None
>
> == Trusted (authenticated by publisher) ==
> Use cases:Same
> Authorization mode: Implicit
> Potential mitigations:None
>
> == Certified (vouched for by trusted 3rd party) ==
> Use cases: Same
> Authorization model:Implicit
> Potential mitigations:None
>
> Note: Should have a setting to disable this in privacy settings

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security