WebAPI/Security/DeviceStorage
From MozillaWiki
Device Storage
Brief purpose of API: Let content access files based on name and type. Can be enumerated.
Inherent threats:
- Use excessive resources (file space), read files, change or delete files.
- Files could potentially contain confidential information.
- Create files with incriminating / illegal information, then call the cops
- Create files that other apps can look for to control their behavior
Threat severity: high to critical - privacy concerns, loss of user data, access to confidential data.
References:
- https://wiki.mozilla.org/WebAPI/DeviceStorageAPI
- Security discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/9b5e3f55ea2c42f8
| Type | Use Cases | Authorization Model | Notes & Other Controls |
|---|---|---|---|
| Web Content | None | No direct access (access via web activities) | |
| Installed Web Apps | None | No direct access (access via web activities) | |
| Privileged Web Apps | Photo gallery, camera app that displays photos, any app that saves data will likely want to read it back. | Explicit |
|
| Certified Web Apps | Notify an app if the user is idle. | Implicit |
Notes
Ideally permission should be given on a type basis (i.e. enforce the "intended usage" at runtime). So giving permission to access music doesn't automatically give permission to photos. If the type is a string literal when the code is reviewed, that would mitigate the issue. Otherwise sub-permissions for types (device-storage.music) or separate permissions for each type (device-storage-music) would be needed. Also has the benefit that it allows the permission prompt to be more explicit about what is being granted.
