Security/Firefox/WebAPI/WebBattery
From MozillaWiki
- Items to be reviewed
- WebBattery bug 678694
- Feature: https://wiki.mozilla.org/WebAPI/BatteryAPI
Contents
Introduce Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- API for allowing access to the status of the battery on the device
- part of the WebAPI project
- 2 properties (read only)
- level 0-1
- charging - is the battery charging
- no battery = 1 & charging
- Eventually the API will include charge/discharge times
- if there's no battery, infinity will be provided instead of times
- exposed to all content
What solutions/approaches were considered other than the proposed solution?
Why was this solution chosen?
- privacy concerns - minimize fingerprinting
Any security threats already considered in the design and why?=
- fingerprinting
- possibly knowing how long it might take to drain battery
Threat Brainstorming
- Privacy: will this API be exposed to all content (shipped in all versions of Firefox), or just b2g?
- web sites are able to tell if you have a battery or not due to return values of charging time etc - 1 bit of fingerprinting
- Result means that web sites could try really hard to drain batteries
- Pref to disable the API? (not yet)
Conclusions / Action Items
- [mounir] Pref to disable: bug 699459 (fixed)