WebAPI/Security/BrowserAPI: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with "Name of API: Browser API References: https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI popup windows in b2g: https://bugzilla.mozilla.org/show_bug.cgi?id=716664 window.open in i...")
 
No edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Name of API: Browser API
== Browser API ==
References:
Brief purpose of API: Provide an iframe that acts as a web browser
https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI
popup windows in b2g: https://bugzilla.mozilla.org/show_bug.cgi?id=716664
window.open in iframe mozbrowser:
https://bugzilla.mozilla.org/show_bug.cgi?id=742944
window.open in iframe mozapp:
https://bugzilla.mozilla.org/show_bug.cgi?id=744451


Brief purpose of API: Provide an iframe that acts as a web browser
General Use Cases: A browser app.
General Use Cases: A browser app.


Line 19: Line 12:
Threat severity: high per https://wiki.mozilla.org/Security_Severity_Ratings
Threat severity: high per https://wiki.mozilla.org/Security_Severity_Ratings


== Regular web content (unauthenticated) ==
References:
Use cases for unauthenticated code: None
*https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI
Authorization model for normal content: None
*popup windows in b2g: https://bugzilla.mozilla.org/show_bug.cgi?id=716664
Authorization model for installed content:None
*window.open in iframe mozbrowser: https://bugzilla.mozilla.org/show_bug.cgi?id=742944
Potential mitigations:
*window.open in iframe mozapp: https://bugzilla.mozilla.org/show_bug.cgi?id=744451
*https://groups.google.com/d/topic/mozilla.dev.webapps/paeyzogqJNY/discussion
 
=== Permissions Table===


== Trusted (authenticated by publisher) ==
{| border="1" class="wikitable"
Use cases for authenticated code: Implement a 3rd party browser application
! Type
Authorization model: Implicit
! Use Cases
Potential mitigations: Each app has separate cookie and password stores
! Authorization Model
from other apps (including system browser app)
! Notes & Other Controls
|-
| Web Content || None || No access
|-
| Installed Web Apps || None || No access
|-
| Privileged Web Apps || Implement a 3rd party browser application || Implicit || Each app has separate cookie and password stores from other apps (including system browser app)
|-
| Certified Web Apps || Replacement Browser|| Implicit ||
|}


== Certified (vouched for by trusted 3rd party) ==
[[Category:Web APIs]]
Use cases for certified code: Replacement Browser
[[Category:Security]]
Authorization model: Implicit

Latest revision as of 23:40, 1 October 2014

Browser API

Brief purpose of API: Provide an iframe that acts as a web browser

General Use Cases: A browser app.

Inherent threats:

  • browser can see all data from all websites, and perform all actions
  • can steal passwords (user-entered; enumerate all saved passwords)
  • can steal cookies (by enumerating websites)
  • NOT a use case: OAuth or other app-content or content-content interactions

Threat severity: high per https://wiki.mozilla.org/Security_Severity_Ratings

References:

Permissions Table

Type Use Cases Authorization Model Notes & Other Controls
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps Implement a 3rd party browser application Implicit Each app has separate cookie and password stores from other apps (including system browser app)
Certified Web Apps Replacement Browser Implicit
Retrieved from "https://wiki.mozilla.org/index.php?title=WebAPI/Security/BrowserAPI&oldid=1021333"