Much of the core permissions management has landed or is en-route, namely the updated nsIPermissionManager (https://bugzilla.mozilla.org/show_bug.cgi?id=769583, https://developer-new.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIPermissionManager).
Work to populate the permissions from the manifest (https://bugzilla.mozilla.org/show_bug.cgi?id=758269) and to connect them to UI permission events (https://bugzilla.mozilla.org/show_bug.cgi?id=773114) is underway. The largest remaining chunk of work is to ensure each API is calling into nsIPermissionManager instead of using the whitelists. This work is being tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=774716 If you are a WebAPI owner, its important that you ensure your API implements the correct permission checks. A good place to start is by adding a bug to the existing tracking bug (774716 above). How do you figure out what permission checks you should have? Great question! You should start by looking at the WebAPI page (https://wiki.mozilla.org/WebAPI#APIs) and finding the corresponding link to the "Security Design Complete" for your API. That should describe the correct behavior for your API for each application type. That includes broad permissions per app-type (i.e. denied, implicit, explicit) but also may recommend or require specific mitigations that can only be implemented within your API. If you have questions or concerns about the behavior as spec'ed, please feel free to bring it up (ideally in the corresponding original API Security Discussion on dev-webapps or in the bug that you file). Thanks! Lucas. _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
