WebAPI/Security/PermissionsAPI: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "== Permission API== Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=707625 <br> Brief purpose of API: Allow an app to manage app permissions in a centralized location <b...")
 
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Permission API==
== Permission API==
Brief purpose of API: Allow an app to manage app permissions in a centralized location


Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=707625 <br>
General Use Cases: None
Brief purpose of API: Allow an app to manage app permissions in a centralized location <br>
General Use Cases: None <br>
Inherent threats: Change security and privacy permissions, potentially leading to device compromise <br>
Threat severity: Critical <br>


=== Regular web content (unauthenticated) ===
Inherent threats: Change security and privacy permissions, potentially leading to device compromise
*Use  cases for unauthenticated code:None
*Authorization model for normal content:  None
*Authorization model for installed content: None
*Potential mitigations:


=== Trusted (authenticated by publisher) ===
Threat severity: Critical
*Use cases for authenticated code: None
*Use cases for trusted code: None
*Potential mitigations:


=== Certified (vouched for by trusted 3rd party) ===
References:  
*Use cases for certified code: Centralized permissions management app; modify per-app settings
*https://bugzilla.mozilla.org/show_bug.cgi?id=707625
*Authorization model: Implicit
*https://groups.google.com/d/topic/mozilla.dev.webapps/sEN6K4y4Am8/discussion
*Potential mitigations: None


Note: We are not exposing permission settings to non-certified apps.  Apps cannot determine their current settings without actually requesting a permission.
=== Permissions Table===
 
{| border="1" class="wikitable"
! Type
! Use Cases
! Authorization Model
! Notes & Other Controls
|-
| Web Content || None || No access ||
|-
| Installed Web Apps || None || No access ||
|-
| Privileged Web Apps || None || No access ||
|-
| Certified Web Apps || Centralized permissions management app; modify per-app settings || Implicit ||
|}
 
==Notes==
We are not exposing permission settings to non-certified apps.  Apps cannot determine their current settings without actually requesting a permission.
 
__NOTOC__
 
[[Category:Web APIs]]
[[Category:Security]]

Latest revision as of 23:41, 1 October 2014

Permission API

Brief purpose of API: Allow an app to manage app permissions in a centralized location

General Use Cases: None

Inherent threats: Change security and privacy permissions, potentially leading to device compromise

Threat severity: Critical

References:

Permissions Table

Type Use Cases Authorization Model Notes & Other Controls
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps None No access
Certified Web Apps Centralized permissions management app; modify per-app settings Implicit

Notes

We are not exposing permission settings to non-certified apps. Apps cannot determine their current settings without actually requesting a permission.

Retrieved from "https://wiki.mozilla.org/index.php?title=WebAPI/Security/PermissionsAPI&oldid=1021343"