WebAPI/Security/PermissionsAPI: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) No edit summary |
No edit summary |
||
| Line 33: | Line 33: | ||
__NOTOC__ | __NOTOC__ | ||
[[Category:Web APIs]] | |||
[[Category:Security]] | |||
Latest revision as of 23:41, 1 October 2014
Permission API
Brief purpose of API: Allow an app to manage app permissions in a centralized location
General Use Cases: None
Inherent threats: Change security and privacy permissions, potentially leading to device compromise
Threat severity: Critical
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=707625
- https://groups.google.com/d/topic/mozilla.dev.webapps/sEN6K4y4Am8/discussion
Permissions Table
| Type | Use Cases | Authorization Model | Notes & Other Controls |
|---|---|---|---|
| Web Content | None | No access | |
| Installed Web Apps | None | No access | |
| Privileged Web Apps | None | No access | |
| Certified Web Apps | Centralized permissions management app; modify per-app settings | Implicit |
Notes
We are not exposing permission settings to non-certified apps. Apps cannot determine their current settings without actually requesting a permission.