Closed Bug 748183 Opened 13 years ago Closed 12 years ago

[Security Review] Screen Orientation API

Categories

(mozilla.org :: Security Assurance, task, P2)

Product:
mozilla.org
Component:
Security Assurance
Platform:
x86
macOS
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pauljt, Assigned: pauljt)

References

(
URL
)

Details

Brief review for screen orientation API

The feature basically allows content to request to lock the orientation of the screen. Untrusted content needs to ask, installed apps can do it without asking (or that's the proposal)

Minimal security threats? Creating this review for the sake of completeness.
Status: NEW → ASSIGNED
Keywords: sec-review-needed
Whiteboard: [secr:ptheriault] → [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
Summary: Security Review for Screen Orientation API → [Security Review] Screen Orientation API
Blocks: 673922
No longer blocks: 720794
Priority: -- → P2
Don't think there are any security threats here. Regular content can only lock orientation when they have already been granted fullscreen and when fullscreen is exited, orientation is reverted. Even if content was able to lock the screen the risk wouldnt be much beyond annoyance.

The only potential threat I can think of is one of privacy based on mulitple windows correlating the timing of screen orientation events to de-anonymise a user. This has been discussed at length in the idle api, but I suspect there are many APIs that share the trait of being global events. I'll raise a seperate bug to discuss this further.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Keywords: sec-review-complete
Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy]
You need to log in before you can comment on or make changes to this bug.