WebAPI/Security/WebUSB

From MozillaWiki
Jump to: navigation, search

Name of API: WebUSB API

Reference:
https://wiki.mozilla.org/WebAPI/WebUSB
https://bugzilla.mozilla.org/show_bug.cgi?id=674718

Brief purpose of API: Allow core (certified) apps to interact directly with USB devices General Use Cases:

Inherent threats:

  • Theft of sensitive data
  • Device compromise (mounting of device USB filesystem)

Threat severity: Critical

Regular web content (unauthenticated)

Use cases for unauthenticated code: None

Authorization model for normal content: None

Authorization model for installed content: None

Potential mitigations: N/A

Trusted (authenticated by publisher)

Same as for installed unauthenticated app

Certified (vouched for by trusted 3rd party)

Use cases for certified code: Configure, enable/disable USB devices. Interact with USB devices.

Authorization model for normal content: Implicit

Notes

Non-certified use cases are out of scope for 1.0. We will consider those for a subsequent release.