WebAPI/Security/NetworkInfo: Difference between revisions

Name of API: Network Information API Sec

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=677166
https://wiki.mozilla.org/WebAPI/NetworkAPI

Brief purpose of API: Allow content to understand if current network connectivity is metered in order to allow apps to limit consumption

General Use Cases:

• Read current bandwidth estimate or ask if connection is metered
  
• Listen for connection change events

Inherent threats: Privacy (de-anonymize users based on connection change events?)

Threat severity: Low

Regular web content (unauthenticated)

Use cases for unauthenticated code: Read current bandwidth estimate or ask if connection is metered

Authorization model for normal content: Implicit

Authorization model for installed content: Implicit

Potential mitigations: Maybe fuzz the exact time of the network change event in a similar manner to idle API.

Trusted (authenticated by publisher)

Use cases for authenticated code: As above

Use cases for trusted code: As above

Potential mitigations: As above

Certified (vouched for by trusted 3rd party)

Use cases for certified code: As above

Authorization model: As above

Potential mitigations: As above