Security/Firefox/WebAPI/WebBattery

Items to be reviewed

• WebBattery bug 678694
• Feature: https://wiki.mozilla.org/WebAPI/BatteryAPI

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

• API for allowing access to the status of the battery on the device
  • part of the WebAPI project
• 2 properties (read only)
  • level 0-1
  • charging - is the battery charging
  • no battery = 1 & charging
  • Eventually the API will include charge/discharge times
    • if there's no battery, infinity will be provided instead of times
• exposed to all content

What solutions/approaches were considered other than the proposed solution?

Why was this solution chosen?

• privacy concerns - minimize fingerprinting

Any security threats already considered in the design and why?=

• fingerprinting
• possibly knowing how long it might take to drain battery

Threat Brainstorming

• Privacy: will this API be exposed to all content (shipped in all versions of Firefox), or just b2g?
• web sites are able to tell if you have a battery or not due to return values of charging time etc - 1 bit of fingerprinting
  • Result means that web sites could try really hard to drain batteries
• Pref to disable the API? (not yet)

Conclusions / Action Items

• [mounir] Pref to disable: bug 699459 (fixed)