No edit summary |
No edit summary |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
==Web Bluetooth API== | |||
Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices. This includes setting properties on adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication. | Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices. This includes setting properties on adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication. | ||
| Line 10: | Line 6: | ||
Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state | Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state | ||
Threat severity: | Threat severity: High | ||
= | References: | ||
*https://bugzilla.mozilla.org/show_bug.cgi?id=674737 | |||
*https://wiki.mozilla.org/WebAPI/WebBluetooth | |||
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/ztmSvKP3Z8U/discussion | |||
=== Permissions Table=== | |||
{| border="1" class="wikitable" | |||
! Type | |||
! Use Cases | |||
! Authorization Model | |||
! Notes & Other Controls | |||
|- | |||
| Web Content || None || No access || | |||
|- | |||
| Installed Web Apps || None || No access || | |||
|- | |||
| Privileged Web Apps || None || No access || | |||
|- | |||
| Certified Web Apps || | |||
*Read | *Read Bluetooth adapter state | ||
*Start/Stop device discovery | *Start/Stop device discovery | ||
*List | *List discovered devices | ||
*Pair with device | *Pair with device | ||
|| Implicit || Potential mitigations: Status indicator showing active bluetooth connection, user can click the status indicator to cancel the connection. Potentially limits on device types. | |||
|} | |||
=== Notes === | |||
==Notes== | |||
Non-certified use cases are out of scope for 1.0. We will consider those for a subsequent release. | Non-certified use cases are out of scope for 1.0. We will consider those for a subsequent release. | ||
__NOTOC__ | __NOTOC__ | ||
[[Category:Web APIs]] | |||
[[Category:Security]] | |||
Latest revision as of 23:40, 1 October 2014
Web Bluetooth API
Brief purpose of API: The aim of WebBluetooth is to establish a DOM API to set up and communicate with Bluetooth devices. This includes setting properties on adapters and devices, scanning for devices, bonding, and socket initialization for audio and communication.
General Use Cases:
Inherent threats: Privacy, access to sensitive user devices, de-anonimization based on bluetooth state
Threat severity: High
References:
- https://bugzilla.mozilla.org/show_bug.cgi?id=674737
- https://wiki.mozilla.org/WebAPI/WebBluetooth
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/ztmSvKP3Z8U/discussion
Permissions Table
| Type | Use Cases | Authorization Model | Notes & Other Controls |
|---|---|---|---|
| Web Content | None | No access | |
| Installed Web Apps | None | No access | |
| Privileged Web Apps | None | No access | |
| Certified Web Apps |
|
Implicit | Potential mitigations: Status indicator showing active bluetooth connection, user can click the status indicator to cancel the connection. Potentially limits on device types. |
Notes
Non-certified use cases are out of scope for 1.0. We will consider those for a subsequent release.