WebAPI/Security/Vibration: Difference between revisions

Latest revision as of 23:42, 1 October 2014

Vibration

Brief purpose of API: Let content activate the vibration motor. General use cases: Vibrate when hit in a game etc.

Reference: http://dev.w3.org/2009/dap/vibration/

Security Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/6aa715e1d7a5a9f5#

Inherent threats: Obnoxious if abused, consume extra battery.

Threat severity: low

Notes:

User can deny from Permission Manager to override an abusive app.
Since only foreground content can trigger vibrator, this seems equivalent to other potentially annoying feedback mechanisms and should be implicit for uninstalled web content.

Permissions Table

Type	Use Cases	Authorization Model	Notes & Other Controls
Web Content	As per general use case.	Implicit	Limit how long vibrations can run. Only foreground content can trigger vibration.
Installed Web Apps	As per general use case.	Implicit	Limit how long vibrations can run. Only foreground content can trigger vibration.
Privileged Web Apps	As per general use case.	Implicit	Limit how long vibrations can run. Only foreground content can trigger vibration.
Certified Web Apps	As per general use case.	Implicit	Limit how long vibrations can run. Only foreground content can trigger vibration.

@@ Line 1: / Line 1: @@
-Name of API: Vibration
+== Vibration ==
+Brief purpose of API: Let content activate the vibration motor.
+General use cases: Vibrate when hit in a game etc.
 Reference: http://dev.w3.org/2009/dap/vibration/
-Brief purpose of API: Let content activate the vibration motor
+Security Discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/6aa715e1d7a5a9f5#
+Inherent threats: Obnoxious if abused, consume extra battery.
-Inherent threats: Obnoxious if mis-used, consume extra battery
 Threat severity: low
-== Regular web content (unauthenticated) ==
+Notes:
-Use cases for unauthenticated code: Vibrate when hit in a game
+* User can deny from Permission Manager to override an abusive app.
-Authorization model for uninstalled web content: Implicit
+* Since only foreground content can trigger vibrator, this seems equivalent to other potentially annoying feedback mechanisms and should be implicit for uninstalled web content.
-Authorization model for installed web content: Implicit
-Potential mitigations: Limit how long vibrations can run.  Only foreground content can trigger vibration.
+=== Permissions Table===
+{| border="1" class="wikitable"
+! Type
+! Use Cases
+! Authorization Model
+! Notes & Other Controls
+|-
+| Web Content || As per general use case. || Implicit || Limit how long vibrations can run.  Only foreground content can trigger vibration.
+|-
+| Installed Web Apps || As per general use case. || Implicit || Limit how long vibrations can run.  Only foreground content can trigger vibration.
+|-
+| Privileged Web Apps || As per general use case. || Implicit|| Limit how long vibrations can run.  Only foreground content can trigger vibration.
+|-
+| Certified Web Apps || As per general use case. || Implicit || Limit how long vibrations can run.  Only foreground content can trigger vibration.
+|}
-== Trusted (authenticated by publisher) ==
-Use cases for authenticated code:[Same]
-Authorization model: Implicit
-Potential mitigations:
-== Certified (vouched for by trusted 3rd party) ==
+__NOTOC__
-Use cases for certified code:
-Authorization model: Implicit
-Potential mitigations:
-Notes:  This API may be implicitly granted.  User can deny from Permission Manager to over-ride an abusive app.
+[[Category:Web APIs]]
-Since only foreground content can trigger vibrator, this seems equivalent to other potentially annoying feedback mechanisms and should be implicit for uninstalled web content.
+[[Category:Security]]

WebAPI/Security/Vibration: Difference between revisions

Latest revision as of 23:42, 1 October 2014

Vibration

Permissions Table

Navigation menu

Search