WebAPI/Security/BrowserAPI

From MozillaWiki
Jump to: navigation, search

Browser API

Brief purpose of API: Provide an iframe that acts as a web browser

General Use Cases: A browser app.

Inherent threats:

  • browser can see all data from all websites, and perform all actions
  • can steal passwords (user-entered; enumerate all saved passwords)
  • can steal cookies (by enumerating websites)
  • NOT a use case: OAuth or other app-content or content-content interactions

Threat severity: high per https://wiki.mozilla.org/Security_Severity_Ratings

References:

Permissions Table

Type Use Cases Authorization Model Notes & Other Controls
Web Content None No access
Installed Web Apps None No access
Privileged Web Apps Implement a 3rd party browser application Implicit Each app has separate cookie and password stores from other apps (including system browser app)
Certified Web Apps Replacement Browser Implicit