Security/WebAPI/Socket API

From MozillaWiki
Jump to: navigation, search
Please use "Edit with form" above to edit this page.

Project Info

Socket API
Project Page
Next Milestone `
Security Resource `

Security Information

Status: OK
Securtiy Approved for Beta Launch?: No
Data Flow Diagram: `
Threat Model: `
Bugs: `
Security Review: `
Final Security Approval: no


Goals Expose Socket API so that Web Apps can connect to services requiring such access (e.g. SMTP Web App)



Open Questions

  • Could any security restrictions be applied to mitigate security risk? E.g. we could prevent localhost connections - but this might prevent a valid use case.
  • (out of scope but important) How will credentials be stored (assuming that apps making connections will need credentials to make secure connections)
  • will this API only be available to b2g (I assume not, but how will the trust model work then?)

Threat Model

The following threats have been considered

  • Malicious website uses API to connect to internal resource
  • Increased port scanning capability
  • Data exfiltration
  • Connection to local device

Authorization Model

For B2G:

  • This will only be available to trusted web apps.
  • B2G trusted apps are cached on the phone, code is not loaded dynamically.
  • App must request socket permission in the manifest.

Implementation Requirements