Brief purpose of API: Make and receive phone calls
General Use Cases: None
- Place calls to high cost numbers,
- Route calls through high cost network,
- Direct calls through MITM network (spying).
- Possibly with audio API, record phone calls, record touch tone signals (account numbers?).
- In addition, there is a high likelihood that this API will need to be controlled for legal reasons.
Threat severity: high to critical, confidential information disclosure and direct financial risk
- WebAPI: https://wiki.mozilla.org/WebAPI/WebTelephony
- B2G Meta telephony bug: https://bugzilla.mozilla.org/show_bug.cgi?id=699235
- Web Telephony meta bug: https://bugzilla.mozilla.org/show_bug.cgi?id=674726
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/34LUf50tpKA/discussion
|Type||Use Cases||Authorization Model||Notes & Other Controls|
|Web Content||click on a phone number in an email or browser to dial||No direct access (access via web activities)||When user clicks on a phone number, app triggers a web activity to initiate the call. User interaction required to trigger.|
|Installed Web Apps||As Above||No direct access (access via web activities)||As above.|
|Privileged Web Apps||As Above||No direct access (access via web activities)||As above.|
|Certified Web Apps||