Security/WebAPI/Socket API: Difference between revisions
Jump to navigation
Jump to search
Ptheriault (talk | contribs) No edit summary |
Ptheriault (talk | contribs) No edit summary |
||
| Line 13: | Line 13: | ||
Goals | Goals | ||
Expose Socket API so that Web Apps can connect to services requiring such access (e.g. SMTP Web App) | Expose Socket API so that Web Apps can connect to services requiring such access (e.g. SMTP Web App) | ||
TCP Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=733573 | *TCP Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=733573 | ||
UDP bug: https://bugzilla.mozilla.org/show_bug.cgi?id=745283 | *UDP bug: https://bugzilla.mozilla.org/show_bug.cgi?id=745283 | ||
Articles: | Articles: | ||
| Line 24: | Line 24: | ||
* Could any security restrictions be applied to mitigate security risk? E.g. we could prevent localhost connections - but this might prevent a valid use case. | * Could any security restrictions be applied to mitigate security risk? E.g. we could prevent localhost connections - but this might prevent a valid use case. | ||
* (out of scope but important) How will credentials be stored (assuming that apps making connections will need credentials to make secure connections) | * (out of scope but important) How will credentials be stored (assuming that apps making connections will need credentials to make secure connections) | ||
* will this API only be available to b2g (I assume not, but how will the trust model work then?) | |||
===Threat Model=== | ===Threat Model=== | ||
===Authorization Model=== | ===Authorization Model=== | ||
For B2G: | |||
*This will only be available to trusted web apps. | |||
*B2G trusted apps are cached on the phone, code is not loaded dynamically. | |||
*App must request socket permission in the manifest. | |||
===Implementation Requirements=== | ===Implementation Requirements=== | ||
Revision as of 04:35, 21 May 2012
Please use "Edit with form" above to edit this page.
Project Info
| Socket API | |
| Project Page | https://bugzilla.mozilla.org/show_bug.cgi?id=733573 |
| Next Milestone | ` |
| Security Resource | ` |
{{#set:Component=Socket API |Project=https://bugzilla.mozilla.org/show_bug.cgi?id=733573 |Milestone=` |Resource=` }}
Security Information
| Status: | OK |
| Securtiy Approved for Beta Launch?: | No |
| Data Flow Diagram: | ` |
| Threat Model: | ` |
| Bugs: | ` |
| Security Review: | ` |
| Final Security Approval: | no |
{{#set:Sectrackerstatus=OK |Simpyn=No |DFD=` |TM=` |bugs=` |Secreview=` |SecTrackerFSA=no }}
Background
Goals Expose Socket API so that Web Apps can connect to services requiring such access (e.g. SMTP Web App)
- TCP Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=733573
- UDP bug: https://bugzilla.mozilla.org/show_bug.cgi?id=745283
Articles:
Source:
Open Questions
- Could any security restrictions be applied to mitigate security risk? E.g. we could prevent localhost connections - but this might prevent a valid use case.
- (out of scope but important) How will credentials be stored (assuming that apps making connections will need credentials to make secure connections)
- will this API only be available to b2g (I assume not, but how will the trust model work then?)
Threat Model
Authorization Model
For B2G:
- This will only be available to trusted web apps.
- B2G trusted apps are cached on the phone, code is not loaded dynamically.
- App must request socket permission in the manifest.