Marketplace/Reviewers/Apps/Permissions
From MozillaWiki
< Marketplace | Reviewers | Apps
The table was initially based on an etherpad discussion but reformatted and reworded.
| Permission(s) | Use Case | Abuse Case | Reviewer Notes |
|---|---|---|---|
| alarms | Similar to setTimeout, except the the app is started if it isn't currently running. Used by apps to do polling or other background processing. The intended use case is that the app can specify when it needs to be woken up to do processing. | Threats: battery life, CPU usage. Firing frequent alarms to prevent an app from being shut-down. | |
| audio-channel-normal, audio-channel-content, audio-channel-notification, audio-channel-alarm | Competing with other audio channels, leave audio running when the user leaves the app (e.g. background music app). Hierarchy: normal & content < notification < alarm (< ringer < telephony <public notifications) | Poorly designed or belligerent channels which block other sound from being played. Using the "notification" or "alarm" channels for longer periods of time. Using the "content" channel for playing sounds that aren't expected to be played when the user isn't actively using the app. | |
| browser | Act a browser. Allows a the app to render web pages inside an iframe, as it was a normal top level browser frame. | Bypass same origin, e.g. using getScreenshot, not accurately displaying where the user is | |
| Contacts | Access the address book. There are read, write and create levels. | Scrape address book and send to third party server. Modify contents of address book without user consent. | |
| desktop-notification | Send a notification that appears in the system tray. The user can click on the notification, and a event is sent to the application. | Spamming the user, not providing controls to the user to limit notifications. | |
| device-storage | Access users media. Read, write, create access | Delete user media, read | Should only have the least access that is required to do what the app wants to accomplish. Do not allow global deletes. |
| fmradio | Let the user control the radio as part of another app, or with a different UI | Power usage? Privacy issues (low risk probably) | |
| geolocation | Localize user content and show maps or other local content | Logging and storage of geolocation data | |
| systemXHR | Cross-origin XHR without CORS. Allows an app to request data from the web (without cookies or auth credentials). | No request to private address ranges. | |
| tcp-socket | Opening a client socket to any host (eg mail, caldav etc) or making a raw back to their own server (although this should be web-sockets) | Similar to systemXHR - internal address ranges, port scanning etc. |
