WebAPI/Security/Idle: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Name of API: Idle API | Name of API: Idle API | ||
References: | |||
*https://wiki.mozilla.org/WebAPI/IdleAPI | |||
*Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Wxgz7_LKD40/discussion | |||
Brief purpose of API: Notify an app if the user is idle | Brief purpose of API: Notify an app if the user is idle | ||
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program). | General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program). | ||
Inherent threats: | Inherent threats:<br> | ||
Privacy implication | |||
*signalling multiple windows at exactly the same time could correlate user identities and compromise privacy | |||
*Could be used by a workplace to monitor activity by monitoring system idle | |||
Threat severity: Low | Threat severity: Low | ||
== Regular web content (unauthenticated) == | == Regular web content (unauthenticated) == | ||
Use cases for unauthenticated code: | Use cases for unauthenticated code: Idle detection for IM or IRC clients. | ||
Authorization model for normal content: None | Authorization model for normal content: None | ||
| Line 23: | Line 27: | ||
* Provide only page idle not system idle, where privacy is a concern | * Provide only page idle not system idle, where privacy is a concern | ||
== Privileged ( | == Privileged (approved by app store) == | ||
Use cases for authenticated code: N/A | Use cases for authenticated code: N/A | ||
| Line 30: | Line 34: | ||
Potential mitigations: None | Potential mitigations: None | ||
== Certified ( | == Certified (system-critical apps) == | ||
Use cases for certified code: As per unauthenticated | Use cases for certified code: As per unauthenticated | ||
Revision as of 21:28, 6 August 2012
Name of API: Idle API
References:
- https://wiki.mozilla.org/WebAPI/IdleAPI
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Wxgz7_LKD40/discussion
Brief purpose of API: Notify an app if the user is idle
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).
Inherent threats:
Privacy implication
- signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
- Could be used by a workplace to monitor activity by monitoring system idle
Threat severity: Low
Regular web content (unauthenticated)
Use cases for unauthenticated code: Idle detection for IM or IRC clients.
Authorization model for normal content: None
Authorization model for installed web content: None
Potential mitigations:
- Exact time user goes idle can be fuzzed so as to reduce correlation
- Provide only page idle not system idle, where privacy is a concern
Privileged (approved by app store)
Use cases for authenticated code: N/A
Authorization model: None
Potential mitigations: None
Certified (system-critical apps)
Use cases for certified code: As per unauthenticated
Authorization model: Implicit
Potential mitigations: Implicit