Re: WebAPI Security Discussion:Network Information API

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: WebAPI Security Discussion:Network Information API

Paul Theriault
"Final" call for comment. Please reply-to [hidden email] with any major issues before COB Jun 04.

On Thursday, 10 May 2012 04:57:27 UTC+10, [hidden email]  wrote:

> (Please reply-to [hidden email])
>
> Name of API: Network Information API Sec
> Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=677166
> https://wiki.mozilla.org/WebAPI/NetworkAPI
>
> Brief purpose of API:
> General Use Cases:
> Read current bandwidth estimate or ask if connection is metered
>
> Listen for connection change events
>
> Inherent threats: Privacy (de-anonymize users based on connection change
> events?)
>
> Threat severity:Low
>
> == Regular web content (unauthenticated) ==
> Use cases for unauthenticated code: Read current bandwidth estimate or
> ask if connection is metered
> Authorization model for normal content: Read current bandwidth estimate
> or ask if connection is metered
> Authorization model for installed content:
> Potential mitigations: Maybe fuzz the exact time of the network change
> event in a similar manner to idle API.
>
> == Trusted (authenticated by publisher) ==
> Use cases for authenticated code:As above
> Use cases for trusted code:
> Potential  mitigations:
>
> == Certified (vouched for by trusted 3rd party) ==
> Use cases for certified code:  As above
> Authorization model:
> Potential mitigations:

_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security