WebAPI/Security/DeviceStorage: Difference between revisions

Jump to navigation Jump to search

WebAPI/Security/DeviceStorage (view source)

Revision as of 05:36, 4 August 2012

11 bytes removed ,  4 August 2012
no edit summary
mNo edit summary
No edit summary
Line 19: Line 19:
picture, select a song to play.
picture, select a song to play.


*Authorization model for uninstalled web content: Explicit (web activities)
Authorization model for uninstalled web content: Explicit (web activities)
*Authorization model for installed web content: Explicit (web activities)
*Potential mitigations: Make sure the user knows what files is being accessed when asking permission.  No option to remember permission.  OS mediated interface (like file picker -  via intents?).


== Trusted (authenticated by publisher) ==
Authorization model for installed web content: Explicit (web activities)
 
Potential mitigations: Make sure the user knows what files is being accessed when asking permission.  No option to remember permission.  OS mediated interface (like file picker -  via intents?).
 
== Privileged (reviewed by store) ==
Use cases for authenticated code: Photo gallery
Use cases for authenticated code: Photo gallery
*Authorization model: Explicit
*Potential mitigations: Granting permission only for a particular type of file (images, pdf, etc).  In the short run we will rely on the "intended usage" to communicate to the user the risk of permitting this access.


== Certified (vouched for by trusted 3rd party) ==
Authorization model: Explicit
 
Potential mitigations: Granting permission only for a particular type of file (images, pdf, etc).  In the short run we will rely on the "intended usage" to communicate to the user the risk of permitting this access.
 
== Certified (system-critical applications) ==
Use cases for certified code: File manager
Use cases for certified code: File manager
*Authorization model: Implicit
 
*Potential mitigations: None.
Authorization model: Implicit
 
Potential mitigations: None.


==Notes==
==Notes==
Ideally permission should be given on a type basis (i.e. enforce the "intended usage" at runtime).  So giving permission to access music doesn't automatically give permission to photos.  If the type is a string literal when the code is reviewed, that would mitigate the issue.  Otherwise sub-permissions for types (device-storage.music) or separate permissions for each type
Ideally permission should be given on a type basis (i.e. enforce the "intended usage" at runtime).  So giving permission to access music doesn't automatically give permission to photos.  If the type is a string literal when the code is reviewed, that would mitigate the issue.  Otherwise sub-permissions for types (device-storage.music) or separate permissions for each type (device-storage-music) would be needed.  Also has the benefit that it allows the permission prompt to be more explicit about what is being
(device-storage-music) would be needed.  Also has the benefit that it allows the permission prompt to be more explicit about what is being
granted.
granted.


__NOTOC__
__NOTOC__
Ladamski
Confirmed users
717

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/457784"

Navigation menu