WebAPI/Security/WebNFC: Difference between revisions
(Add scope of review) |
(add doc and reference) |
||
| Line 67: | Line 67: | ||
* Interface to lib | * Interface to lib | ||
== Documentation and reference == | |||
=== Key Bugs === | |||
Security Review: WebNFC {{bug|749325}} <br /> | |||
Feature Bug (meta): https://bugzilla.mozilla.org/show_bug.cgi?id=860906<br /> | |||
Dependent bugs: https://bugzilla.mozilla.org/showdependencytree.cgi?maxdepth=2&id=860906&hide_resolved=0<br /> | |||
'''Gonk'''<br /> | |||
NFC Daemon for B2G (daemon for supporting lib-nxp): {{bug|860907}}<br/> | |||
B2G NFC: NFC Daemon for supporting libnfc-nci (daemon for supporting lib-nci): {{bug|906579}}<br/> | |||
B2G NFC: Define protocol to communicate between nfcd and b2g: {{bug|897312}}<br/> | |||
'''Gecko'''<br/> | |||
WebNFC (near-field communication): {{bug|674741}} | |||
'''Gaia'''<br/> | |||
B2G Gaia Integration for NFC: {{bug|860910}} | |||
'''Secure Element Support'''<br/> | |||
NFC Secure Element Support: {{bug|879861}} | |||
Support Nfc Access Control for Secure Element Access: {{bug|884594}} | |||
=== Documentation about the NFC API: === | |||
https://developer.mozilla.org/en-US/docs/Web/API/NFC_API <br/> | |||
https://developer.mozilla.org/en-US/docs/Web/API/NFC_API/Using_the_NFC_API <br/> | |||
https://developer.mozilla.org/en-US/docs/Web/API/NFC_API/Using_the_NFC_emulator <br/> | |||
[[Category:Web APIs]] | [[Category:Web APIs]] | ||
[[Category:Security]] | [[Category:Security]] | ||
Revision as of 14:51, 27 March 2015
Name of API: WebNFC API Reference:
Brief purpose of API: Allow core (certified) and privileged apps to interact directly with NFC devices
General Use Cases: sharing content (media files, contacts) with NFC pairing, read/write NFC tags
Inherent threats:
- Theft of sensitive data
- Device compromise (configuring NFC device)
- Potential for financial impact (payments via NFC) - cf the Secure Element API
Threat severity: Critical
Regular web content (unauthenticated) Use cases for unauthenticated code: None
Authorization model for normal content: None
Authorization model for installed content: None
Potential mitigations: N/A
Trusted (authenticated by publisher)
Same as for installed unauthenticated app
Certified (vouched for by trusted 3rd party)
Use cases for certified code:
- Configure, enable/disable NFC devices.
- Interact with NFC devices.
- Manage NFC payments.
Security Review
Scope of Review
Gaia
- System Application changes
- Web Activities
- System messages
- Communication between system app and NFC client app
- Certified NFC applications
- 3rd party NFC apps
Out of scope for now:
- Wallet Application (see Secure Element API)
- Certified transportation/miFare applications
Gecko
- mozNfc APIs
- Gecko Permissions
- Messaging (NFC:* messages, system messages)
- NFC System worker
- Interface to nfcd on IPC socket
Out of scope:
- Secure elements
- access control
- integration with RIL
Gonk
- NFC Daemon (nfcd)
- Interface to lib
Documentation and reference
Key Bugs
Security Review: WebNFC bug 749325
Feature Bug (meta): https://bugzilla.mozilla.org/show_bug.cgi?id=860906
Dependent bugs: https://bugzilla.mozilla.org/showdependencytree.cgi?maxdepth=2&id=860906&hide_resolved=0
Gonk
NFC Daemon for B2G (daemon for supporting lib-nxp): bug 860907
B2G NFC: NFC Daemon for supporting libnfc-nci (daemon for supporting lib-nci): bug 906579
B2G NFC: Define protocol to communicate between nfcd and b2g: bug 897312
Gecko
WebNFC (near-field communication): bug 674741
Gaia
B2G Gaia Integration for NFC: bug 860910
Secure Element Support
NFC Secure Element Support: bug 879861
Support Nfc Access Control for Secure Element Access: bug 884594
Documentation about the NFC API:
https://developer.mozilla.org/en-US/docs/Web/API/NFC_API
https://developer.mozilla.org/en-US/docs/Web/API/NFC_API/Using_the_NFC_API
https://developer.mozilla.org/en-US/docs/Web/API/NFC_API/Using_the_NFC_emulator