WebAPI/Security/BrowserAPI

From MozillaWiki
< WebAPI‎ | Security
Revision as of 11:27, 25 June 2012 by Ptheriault (talk | contribs) (Created page with "Name of API: Browser API References: https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI popup windows in b2g: https://bugzilla.mozilla.org/show_bug.cgi?id=716664 window.open in i...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Name of API: Browser API References: https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI popup windows in b2g: https://bugzilla.mozilla.org/show_bug.cgi?id=716664 window.open in iframe mozbrowser: https://bugzilla.mozilla.org/show_bug.cgi?id=742944 window.open in iframe mozapp: https://bugzilla.mozilla.org/show_bug.cgi?id=744451

Brief purpose of API: Provide an iframe that acts as a web browser General Use Cases: A browser app.

Inherent threats:

  • browser can see all data from all websites, and perform all actions
  • can steal passwords (user-entered; enumerate all saved passwords)
  • can steal cookies (by enumerating websites)
  • NOT a use case: OAuth or other app-content or content-content interactions

Threat severity: high per https://wiki.mozilla.org/Security_Severity_Ratings

Regular web content (unauthenticated)

Use cases for unauthenticated code: None Authorization model for normal content: None Authorization model for installed content:None Potential mitigations:

Trusted (authenticated by publisher)

Use cases for authenticated code: Implement a 3rd party browser application Authorization model: Implicit Potential mitigations: Each app has separate cookie and password stores from other apps (including system browser app)

Certified (vouched for by trusted 3rd party)

Use cases for certified code: Replacement Browser Authorization model: Implicit

Retrieved from "https://wiki.mozilla.org/index.php?title=WebAPI/Security/BrowserAPI&oldid=445041"