In bug 677166 there was discussion around restricting access to the Network Information API. As far as I know, no restrictions have been implemented and I wanted to make sure this was a conscious decision, not just an oversight. (Mounir, your comment in https://etherpad.mozilla.org/permissionmatrixupdates confused me, since you wrote this: http://dvcs.w3.org/hg/dap/raw-file/tip/network-api/Overview.html#security-and-privacy-considerations ) This API returns bandwidth and metered. Metered seems fairly safe, but how specific is bandwidth? Do we do any rounding or fuzzing to reduce the usefulness as a fingerprinting measure? Or should this API be installed apps and above only?

No. This API should be exposed to all webpages and apps. It's been designed to be no more sensitive than the normal DOM. This was definitely an intentional decision.