Apps/Security/Permissions
Jump to navigation
Jump to search
Note: Please do not edit this page. Share your ideas in dev-webapps@lists.mozilla.org or Apps/Security/Discussion instead
Web Content (not exhaustive)
| API | Action | Explicit | Visual Indicator | Mitigations |
|---|---|---|---|---|
| Screen Orientation | lock screen orientation, detect changes | No | No | Rules regarding fullscreen and iframe ancestors |
| Vibration API | No | Limit how long vibrations can run. Only foreground content can trigger vibration. | ||
| IdleAPI | Detect user inactive | Yes | No | Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference. |
| ResourceLock API | Prevent the screen from being dimmed or switched off | No | No | Only allowed when content is fullscreen |
| Geolocation API | Obtain current location of user | |||
| Mouse Lock API | Lock access to mouse and get access to movement deltas rather than coordinates. | Yes | No | |
| Network Information API | Get basic information about current network connectivity. | No | No | |
| Battery Status API | Information about battery charge level and if device is plugged in. | No | No |
Untrusted Web Apps
| API | Action | Explicit | Visual Indicator | Mitigations |
|---|---|---|---|---|
| Screen Orientation | Lock screen orientation | No | No | |
| Vibration API | No | No | ||
| IdleAPI | Detect user inactive | Yes | No | Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference. |
| ResourceLock API | Prevent the screen from being dimmed or switched off | No | No | |
| Geolocation API | Obtain current location of user | Yes | ||
| Mouse Lock API | Lock access to mouse and get access to movement deltas rather than coordinates. | Yes | No | |
| Network Information API | Get basic information about current network connectivity. | No | No | |
| Battery Status API | Information about battery charge level and if device is plugged in. | No | No |
Trusted Web Apps
| API | Action | Explicit | Visual Indicator | Mitigations |
|---|---|---|---|---|
| Screen Orientation | Lock screen orientation | No | No | |
| WebTelephony | All Web Telephony APIs | No | Yes | Can\'t replace certified dialer |
| Vibration API | No | No | ||
| WebSMS | All SMS APIs | Yes | No | Open question: can trusted app register as a SMS handler. Can\'t replace certified SMS app |
| IdleAPI | Detect user inactive | No | No | Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference. |
| ResourceLock API | Prevent the screen from being dimmed or switched off | No | No | |
| TCP Socket API | Connect to TCP socket | No | No | Open question: port/address limitations? Connect only? No listen? |
| Geolocation API | Obtain current location of user | Yes | Yes | |
| UDP Datagram Socket API | Low-level UDP API | No | No | |
| Sensor API | Access to device sensors such as accelerometer, magnetic field (compass), proximity, ambient light etc. | |||
| Mouse Lock API | Lock access to mouse and get access to movement deltas rather than coordinates. | No | No | |
| Network Information API | Get basic information about current network connectivity. | No | No | |
| Battery Status API | Information about battery charge level and if device is plugged in. | No | No | |
| Contacts API | Add/Read/Modify the device contacts address book. | No | No | |
| Camera API | This is part of the larger WebRTC effort. This is a big piece of work so see the link. | No | No |
Certified Web Apps
| API | Action | Explicit | Visual Indicator | Mitigations |
|---|---|---|---|---|
| Screen Orientation | Lock screen orientation | No | No | |
| WebSMS | All SMS APIs | No | No | |
| WebTelephony | All Web Telephony APIs | No | Yes | |
| Vibration API | No | No | ||
| IdleAPI | Detect user inactive | No | No | Fuzz Idle time to prevent fingerprinting. Enforce minimum time to prevent keystroke inference. |
| Settings API | API to configure device settings | No | No | |
| ResourceLock API | Prevent the screen from being dimmed or switched off | No | No | |
| PowerManagementAPI | Turn on/off screen, cpu, device power, etc. Listen and inspect resource lock events. | No | No | |
| MobileConnection API | This exposes information about the current mobile voice and data connection to (certain) HTML content. | No | No | |
| TCP Socket API | Create raw TCP Sockets | No | No | |
| Geolocation API | Obtain current location of user | No | Yes | |
| UDP Datagram Socket API | No | No | ||
| Sensor API | Access to device sensors such as accelerometer, magnetic field (compass), proximity, ambient light etc. | No | No | |
| WiFi Information API | Enumerate available WiFi networks, get signal strength and name of currently connected network, etc. | No | No | |
| Device Storage API | Add/Read/Modify files stored on a central location on the device. For example the \"pictures\" folder on modern desktop platforms or the photo storage in mobile devices. | No | No | |
| USB file-reading API | Add/Read/Modify files stored on memory cards and USB keys connected to the device. Get notified when storage devices are connected/disconnected. Will be very similar to the Device Storage API above with a few additional methods. | No | No | |
| Contacts API | Add/Read/Modify the device contacts address book. | No | No | |
| Camera API | This is part of the larger WebRTC effort. This is a big piece of work so see the link. | No | No | |
| Peer to Peer API | This is part of the larger WebRTC effort. This is a big piece of work so see the link. | No | No | |
| Mouse Lock API | Lock access to mouse and get access to movement deltas rather than coordinates. | No | No | |
| Open WebApps | Install web apps and manage installed webapps. Also allows an installed webapp to get payment information. Everything needed to build a Opeb WebApps app store. | No | No | |
| WebNFC | Low level access to NFC hardware. So far focusing on NDEF support. | No | No | |
| WebBluetooth | Low level access to Bluetooth hardware. | No | No | |
| WebUSB | Low level access to USB hardware. | No | No | |
| Network Information API | Get basic information about current network connectivity. | No | No | |
| Battery Status API | Information about battery charge level and if device is plugged in. | No | No | |
| HTTP-cache API | Query what\'s stored in the browsers http-cache. Add/remove entries. Update expiration time. Get data directly from cache. | No | No | |
| Alarm API | Schedule a notification, or for an application to be started, at a specific time. | No | No | |
| Browser API | Enables implementing a browser completely in web technologies. | No | No | |
| Time/Clock API | Set current time. Timezone will go in the Settings API. | No | No | |
| Calendar API | Add/Read/Modify to the device calendar. | No | No | |
| Intents/Activities/Actions | Have a problem? This API will be able solve it. | No | No | |
| Device Capabilities API | Check if the device has certain capabilities, such as front-facing camera, gps, etc. | No | No | |
| Keyboard/IME API | Enables implementing virtual keyboards. | No | No | |
| Spellcheck API | Enable webpages to check if a piece of text is correctly spelled as well as get suggestions for corrections. | No | No | |
| Background services | Enable a web application to run in the background and perform tasks like syncing or respond to incoming messages. | No | No | |
| Push Notifications API | Allow the platform to send notification messages to specific applications. | No | No | |
| LogAPI | Allows to register the user activity on the phone. | No | No |