WebAPI/Security/Idle
Jump to navigation
Jump to search
Name of API: Idle API
References:
- https://wiki.mozilla.org/WebAPI/IdleAPI
- Security discussion: https://groups.google.com/d/topic/mozilla.dev.webapps/Wxgz7_LKD40/discussion
Brief purpose of API: Notify an app if the user is idle.
General Use Cases: Notify a web page is a user is idle (e.g. to change a status in an instant messaging program).
Inherent threats:
- Privacy implications
- Signalling multiple windows at exactly the same time could correlate user identities and compromise privacy
- Could be used by a workplace to monitor activity by monitoring system idle
Threat severity: Low
| Type | Use Cases | Authorization Model |
|---|---|---|
| Web Content | None | No access |
| Installed Web Apps | None | No access |
| Privileged Web Apps | None | No access |
| Certified Web Apps | Notify an app if the user is idle. | Implicit |
Regular web content (unauthenticated)
Use cases for unauthenticated code: None. Authorization model for normal content: No Access.
- Installed Web Apps
- Use cases for unauthenticated code: None.
- Authorization model for normal content: No access.
- Privileged (approved by app store)
- Use cases for privileged code: None.
- Authorization model: No access.
Certified (system-critical apps)
Use cases for certified code: Notify an app if the user is idle
Authorization model: Implicit
Potential mitigations: Due to the privacy risks associated with this API, access is limited to certified applications. (See https://bugzilla.mozilla.org/show_bug.cgi?id=780507 for further detail).