|Securtiy Approved for Beta Launch?:||No|
|Data Flow Diagram:||`|
|Final Security Approval:||no|
Goals Expose Socket API so that Web Apps can connect to services requiring such access (e.g. SMTP Web App)
- TCP Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=733573
- UDP bug: https://bugzilla.mozilla.org/show_bug.cgi?id=745283
- Could any security restrictions be applied to mitigate security risk? E.g. we could prevent localhost connections - but this might prevent a valid use case.
- (out of scope but important) How will credentials be stored (assuming that apps making connections will need credentials to make secure connections)
- will this API only be available to b2g (I assume not, but how will the trust model work then?)
The following threats have been considered
- Malicious website uses API to connect to internal resource
- Increased port scanning capability
- Data exfiltration
- Connection to local device
- This will only be available to trusted web apps.
- B2G trusted apps are cached on the phone, code is not loaded dynamically.
- App must request socket permission in the manifest.