Closed
Bug 751015
Opened 13 years ago
Closed 12 years ago
[Security Review] Network Information API
Categories
(mozilla.org :: Security Assurance, task, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: pauljt, Assigned: dchanm+bugzilla)
References
()
Details
(Whiteboard: [pending secreview][start mm/dd/yyyy][target mm/dd/yyyy])
Get basic information about current network connectivity.
|
||
Updated•13 years ago
|
Assignee: nobody → ptheriault
Status: NEW → ASSIGNED
|
Reporter | |
Updated•13 years ago
|
Blocks: B2G-secreview
|
|
Reporter | |
Comment 1•13 years ago
|
||
This API is pretty low risk - it provides access to two read-only properties and access to listen to the connection change event. Might be a way to de-anonymize a user between windows.
Priority: -- → P1
|
|
Reporter | |
Updated•12 years ago
|
Priority: P1 → P2
|
|
Reporter | |
Comment 2•12 years ago
|
||
|
Assignee | |
Updated•12 years ago
|
Assignee: ptheriault → dchan+bugzilla
|
|
Assignee | |
Comment 3•12 years ago
|
||
The API is low risk as mentioned by Paul in comment #1. Two read only attributes and an onchange event is exposed by the idl [1]. Implementation is defined in [2]. There are currently 3 connection information implementations, the android one [3], the sandbox one used for b2g [4] and a default fallback one for platforms without a complete hal implementation [5]
The privacy impacts of this API are minimal as mentioned in the w3 documentation [6]. A malicious page could determine that a connection is metered and attempt to use more data. However there are other ways to detect metering such as IP address. There also isn't incentive to attack only metered connections in my opinion.
Closing this review off as completed.
[1] - http://mxr.mozilla.org/mozilla-central/source/dom/network/interfaces/nsIDOMConnection.idl
[2] - http://mxr.mozilla.org/mozilla-central/source/dom/network/src/Connection.cpp
[3] - http://mxr.mozilla.org/mozilla-central/source/hal/android/AndroidHal.cpp#116
[4] - http://mxr.mozilla.org/mozilla-central/source/hal/sandbox/SandboxHal.cpp#98
[5] - http://mxr.mozilla.org/mozilla-central/source/hal/fallback/FallbackNetwork.cpp#23
[6] - https://dvcs.w3.org/hg/dap/raw-file/tip/network-api/Overview.html
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 4•12 years ago
|
||
(In reply to David Chan [:dchan] from comment #3)
> [..] the sandbox one used for b2g [4] [..]
B2G does not implement this API and the Sandbax is only there to send messages from a content process to the parent process. It is not B2G specific.
|
|
Assignee | |
Comment 5•12 years ago
|
||
(In reply to Mounir Lamouri (:mounir) from comment #4)
> (In reply to David Chan [:dchan] from comment #3)
> > [..] the sandbox one used for b2g [4] [..]
>
> B2G does not implement this API and the Sandbax is only there to send
> messages from a content process to the parent process. It is not B2G
> specific.
Thanks for the clarification Mounir. Does this mean that b2g uses the android implementation of network information with the Sandbox hal responsible for sending messages between the process?
|
|
||
Comment 6•12 years ago
|
||
B2G doesn't use Network Information API at all AFAIK.
You need to log in
before you can comment on or make changes to this bug.
Description
•