WebAPI/Security/BrowserAPI
Jump to navigation
Jump to search
Browser API
Brief purpose of API: Provide an iframe that acts as a web browser
General Use Cases: A browser app.
Inherent threats:
- browser can see all data from all websites, and perform all actions
- can steal passwords (user-entered; enumerate all saved passwords)
- can steal cookies (by enumerating websites)
- NOT a use case: OAuth or other app-content or content-content interactions
Threat severity: high per https://wiki.mozilla.org/Security_Severity_Ratings
References:
- https://wiki.mozilla.org/WebAPI/EmbeddedBrowserAPI
- popup windows in b2g: https://bugzilla.mozilla.org/show_bug.cgi?id=716664
- window.open in iframe mozbrowser: https://bugzilla.mozilla.org/show_bug.cgi?id=742944
- window.open in iframe mozapp: https://bugzilla.mozilla.org/show_bug.cgi?id=744451
- https://groups.google.com/d/topic/mozilla.dev.webapps/paeyzogqJNY/discussion
Permissions Table
| Type | Use Cases | Authorization Model | Notes & Other Controls |
|---|---|---|---|
| Web Content | None | No access | |
| Installed Web Apps | None | No access | |
| Privileged Web Apps | Implement a 3rd party browser application | Implicit | Each app has separate cookie and password stores from other apps (including system browser app) |
| Certified Web Apps | Replacement Browser | Implicit |