WebAPI/Security/BrowserAPI

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Browser API

Brief purpose of API: Provide an iframe that acts as a web browser

General Use Cases: A browser app.

Inherent threats:

browser can see all data from all websites, and perform all actions
can steal passwords (user-entered; enumerate all saved passwords)
can steal cookies (by enumerating websites)
NOT a use case: OAuth or other app-content or content-content interactions

Threat severity: high per https://wiki.mozilla.org/Security_Severity_Ratings

References:

https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI
popup windows in b2g: https://bugzilla.mozilla.org/show_bug.cgi?id=716664
window.open in iframe mozbrowser: https://bugzilla.mozilla.org/show_bug.cgi?id=742944
window.open in iframe mozapp: https://bugzilla.mozilla.org/show_bug.cgi?id=744451
https://groups.google.com/d/topic/mozilla.dev.webapps/paeyzogqJNY/discussion

Permissions Table

Type	Use Cases	Authorization Model	Notes & Other Controls
Web Content	None	No access
Installed Web Apps	None	No access
Privileged Web Apps	Implement a 3rd party browser application	Implicit	Each app has separate cookie and password stores from other apps (including system browser app)
Certified Web Apps	Replacement Browser	Implicit

WebAPI/Security/BrowserAPI

Browser API

Permissions Table

Navigation menu

Search