Security/Reviews/ReviewNotes/Joystick

From MozillaWiki
< Security‎ | Reviews
Revision as of 19:16, 4 January 2012 by Curtisk (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Introduce Feature

Joystick

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

  • to make joystick available to elements for games
  • want joystick to look alot like mouse (axis movement, etc)
  • ability to get a stateful object from the joystick to know what to do
  • this only works when tab is focused and in front

- What solutions/approaches were considered other than the proposed solution?

Why was this solution chosen?

Any security threats already considered in the design and why?

  • joystick does not work until some user action is taken
    • done to avoid fingerprinting of the system
  • somethings have to be disclosed for use
    • the more the site gets to know the more the fingerprint is useful
    • threat is low as joystick is not going to be used all the time
  • configuration problem
    • more research needed to how to do this
    • num analog sticks, button that was pushed and what it maps to

Threat Brainstorming

  • can this be used for general purpose or is this for games only?
    • there is some accessability want for this as an alternate input device
    • page must interpret and user must want
  • how are events tracked?
    • pull should be possible (this is where privacy concerns come from)
      • this is not the device but the object representation of the device
    • currently implemented with events
  • how is data about joystick stored/mapped?
    • per page, not browser
  • information about the joystick should only be live while page has focus
    • if focus lost then it halts until you come back
    • data should not flow between one page and another
      • more research will be done to ensure this is so
    • each page has its own joystick state and it's only active when focus is active
    • all lost when page closed
    • pause when game focus lost
    • restrict joystick events/object to same-origin with the top-level origin

Conclusions / Action Items