WebAPI/Security/Idle: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) (Created page with "Name of API: Idle API Reference: https://wiki.mozilla.org/WebAPI/IdleAPI Brief purpose of API: Notify an app if the user is idle General Use Cases: Notify a web page is a user ...") |
No edit summary |
||
| Line 13: | Line 13: | ||
== Regular web content (unauthenticated) == | == Regular web content (unauthenticated) == | ||
Use cases for unauthenticated code: | Use cases for unauthenticated code: IM chats that need to detect when user is AFK. | ||
Authorization model for normal content: | |||
Authorization model for installed content: | Authorization model for normal content: None | ||
Authorization model for installed web content: None | |||
Potential mitigations: | Potential mitigations: | ||
* Exact time user goes idle can be fuzzed so as to reduce correlation | * Exact time user goes idle can be fuzzed so as to reduce correlation | ||
| Line 22: | Line 25: | ||
== Trusted (authenticated by publisher) == | == Trusted (authenticated by publisher) == | ||
Use cases for authenticated code: As per unauthenticated | Use cases for authenticated code: As per unauthenticated | ||
Authorization model: Implicit | Authorization model: Implicit | ||
Potential mitigations: Implicit | Potential mitigations: Implicit | ||
== Certified (vouched for by trusted 3rd party) == | == Certified (vouched for by trusted 3rd party) == | ||
Use cases for certified code: As per unauthenticated | Use cases for certified code: As per unauthenticated | ||
Authorization model: Implicit | Authorization model: Implicit | ||
Potential mitigations: Implicit | Potential mitigations: Implicit | ||
Revision as of 21:49, 1 August 2012
Name of API: Idle API Reference: https://wiki.mozilla.org/WebAPI/IdleAPI
Brief purpose of API: Notify an app if the user is idle General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program)
Inherent threats:
- Privacy implication
- signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
- Could be used by a workplace to monitor activity by monitoring system idle
Threat severity: Low
Regular web content (unauthenticated)
Use cases for unauthenticated code: IM chats that need to detect when user is AFK.
Authorization model for normal content: None
Authorization model for installed web content: None
Potential mitigations:
- Exact time user goes idle can be fuzzed so as to reduce correlation
- Provide only page idle not system idle, where privacy is a concern
Trusted (authenticated by publisher)
Use cases for authenticated code: As per unauthenticated
Authorization model: Implicit
Potential mitigations: Implicit
Certified (vouched for by trusted 3rd party)
Use cases for certified code: As per unauthenticated
Authorization model: Implicit
Potential mitigations: Implicit