On Sunday, August 12, 2012 11:11:08 PM UTC-7, Lucas Adamski wrote: > Please reply to [email protected]. > > > > ==WebActivities API== > > > > References: > > *https://wiki.mozilla.org/WebAPI/WebActivities > > *https://bugzilla.mozilla.org/show_bug.cgi?id=715814 > > > > Brief purpose of API: Allow apps to both register for and to initiate tasks > that cross app boundaries. > > > > General Use Cases: > > *Open a music file in a music player from the email app > > *Take a photo from a social networking app > > *Send an SMS from a social networking app > > *Create a document viewer app that can handle certain types of documents > > > > Inherent threats: > > *Become a handler for sensitive activities, then steal their contents or > change flow of control > > *Escalation of privilege attacks against apps with greater permissions > > > > Threat severity: High > > > > == Regular web content (unauthenticated) == > > Use cases for unauthenticated code: Same > > > > Authorization model for normal content: Implicit to initiate only? > > > > Authorization model for installed content: Implicit to register or initiate > > > > Potential mitigations: Some apps implementing activities for sensitive APIs > (i.e. SMS, photo/video recording, dialer, etc.) should implement UI even if > access to WebActivities is implicit. > > > > == Privileged (approved by app store) == > > Use cases for privileged code: Same > > > > Authorization model: Implicit > > > > Potential mitigations: Same > > > > == Certified (system-critical apps) == > > Use cases for certified code: Same > > > > Authorization model: Implicit > > > > Potential mitigations: Same > > > > == Notes == > > Should sensitive system activities be somehow sandboxed away from "regular" > web activities? Is it dangerous for any app to register as a handler for > potentially sensitive operations (SMS, etc) even though it doesn't confer any > additional privilege. Should any app be able to initiate any activity?
Could we get more details in this discussion on the app manifest pieces for web activities this connects to as well? It could help provide more context to the discussion possibly. _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
