Security/Firefox/WebAPI/WebBattery

From MozillaWiki

< Security‎ | Firefox

Jump to: navigation, search

Items to be reviewed

WebBattery bug 678694
Feature: https://wiki.mozilla.org/WebAPI/BatteryAPI

Contents

1 Introduce Feature
2 Any security threats already considered in the design and why?=
3 Threat Brainstorming
4 Conclusions / Action Items

Introduce Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

API for allowing access to the status of the battery on the device
- part of the WebAPI project
2 properties (read only)
- level 0-1
- charging - is the battery charging
- no battery = 1 & charging
- Eventually the API will include charge/discharge times
  - if there's no battery, infinity will be provided instead of times
exposed to all content

What solutions/approaches were considered other than the proposed solution?

Why was this solution chosen?

privacy concerns - minimize fingerprinting

Any security threats already considered in the design and why?=

fingerprinting
possibly knowing how long it might take to drain battery

Threat Brainstorming

Privacy: will this API be exposed to all content (shipped in all versions of Firefox), or just b2g?
web sites are able to tell if you have a battery or not due to return values of charging time etc - 1 bit of fingerprinting
- Result means that web sites could try really hard to drain batteries
Pref to disable the API? (not yet)

Conclusions / Action Items

[mounir] Pref to disable: bug 699459 (fixed)

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Firefox/WebAPI/WebBattery&oldid=383631"

SecReview