Closed
Bug 1053673
Opened 10 years ago
Closed 8 years ago
Security review of refined WebBluetooth API
Categories
(Firefox OS Graveyard :: Bluetooth, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: ben.tian, Unassigned)
References
()
Details
(Whiteboard: [webbt-api])
Attachments
(1 file, 11 obsolete files)
|
4.10 KB,
text/plain
|
Details |
Bug 1005848 implemented refined WebBluetooth API and it requires security review to expose to privileged apps. The implementation is under dom/bluetooth2 and requires patch on bug 1005848 to enable building. The latest version of refined WebBluetooth API is on mozilla wiki: https://wiki.mozilla.org/B2G/Bluetooth/WebBluetooth-v2
|
Reporter | |
Comment 1•10 years ago
|
||
Move sec-review? flag from bug 1005848 to this bug for discussion.
|
||
Comment 2•10 years ago
|
||
Hi Paul, We have considered some possible threats and proposed a solution recently. Please check https://docs.google.com/a/mozilla.com/document/d/1aJG_PrR2SJixivbKi_qDx2SfjsObl_GG1UW--fdiwGw for detail. We would like to use this file to start the security review of our refined WebBluetooth API with you. Could you take a look and provide your feedback in the document or this bug? Please feel free to add any threats/requirements that come up to your mind, we can discuss together and found a way to achieve it. Please note that the bluetooth-admin permission described in our proposed solution haven't been implemented yet. We would like to discuss the permission setting with you before actually apply it. Thanks, Jocelyn
|
|
Reporter | |
Comment 3•10 years ago
|
||
Attach the latest patch to enable building of dom/bluetooth2.
|
|
Reporter | |
Comment 4•10 years ago
|
||
Attachment #8479631 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 5•10 years ago
|
||
Attachment #8482043 -
Attachment is obsolete: true
|
|
||
Comment 6•10 years ago
|
||
Attachment #8497962 -
Attachment is obsolete: true
|
|
||
Comment 7•10 years ago
|
||
Hi Jenny, We're going through a security review with Paul from security team for our new WebBluetooth API. And Paul bring up a question that we want to involve UX here since it's more related to user experience. Bluetooth team plans to expose a new "bluetooth-admin" permission to privileged apps for bluetooth management, such as enabling/disabling bluetooth and discovering nearby bluetooth devices. These functions are currently limited to certified Apps and controlled mainly through settings app. We want to expose those APIs since we want users can use 3rd party bluetooth Apps without having users to manually switch to settings and fulfill every pre-conditions, then switch back to the App to use it. On the other hand, Paul is concerned that it will be a bad UX if we let third party apps to overwrite those bluetooth settings in settings app. (BT on/off, device discoverability, and device's human readable name) We both agreed that we should ask for UX's opinion on this, could you provide your feedback on this from user experience perspective? Thanks, Jocelyn
Flags: needinfo?(jelee)
Hi Jocelyn, As described in mail, I would suggest to go with Paul's proposal due to below reasons: 1. Security is something we can't compromise. 2. It's fairly easy to open Bluetooth from utility tray. 3. Renaming adapter probably isn't something an app needs to do. Note that with this proposal, to provide a better UX we need to make sure in permission prompt, we should clearly state that "what" is permitted (not including enable/disable, naming adapter). Let me know if you have further concerns. Thanks ;)!
Flags: needinfo?(jelee)
|
|
Reporter | |
Comment 9•10 years ago
|
||
Attachment #8505323 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 10•10 years ago
|
||
Attachment #8514046 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 12•10 years ago
|
||
Attachment #8520359 -
Attachment is obsolete: true
|
|
||
Comment 13•10 years ago
|
||
Update dev-patch for enabling BT API v2.
Attachment #8522774 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 14•9 years ago
|
||
Attachment #8542084 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 15•9 years ago
|
||
Attachment #8564864 -
Attachment is obsolete: true
|
|
||
Comment 16•9 years ago
|
||
Patch for enabling v2 with LE support after Bug 1146355 landed.
Attachment #8590171 -
Attachment is obsolete: true
|
||
Comment 17•9 years ago
|
||
I'm wondering if this aligns with the spec that has since been published by the Web Bluetooth Community Group https://webbluetoothcg.github.io/web-bluetooth/
|
|
||
Comment 18•9 years ago
|
||
Also I notice that there's a related old unresolved bug for Bluetooth Web API still open at https://bugzilla.mozilla.org/show_bug.cgi?id=674737
|
||
Comment 19•9 years ago
|
||
I believe the implemented API isn't exactly the same as the W3C spec, but Jocelyn's expressed interest in converging, and I believe then exposing the result to arbitrary websites like we're working on in Chrome: https://crbug.com/419413. That convergence and any extra security review should probably be a separate bug?
|
|
||
Comment 20•9 years ago
|
||
(In reply to Jeffrey Yasskin from comment #19) > I believe the implemented API isn't exactly the same as the W3C spec, but > Jocelyn's expressed interest in converging, and I believe then exposing the > result to arbitrary websites like we're working on in Chrome: > https://crbug.com/419413. That convergence and any extra security review > should probably be a separate bug? Yes, this bug is actually focusing on the security review of our refined bluetooth API on Firefox OS, which only covers classic bluetooth. And W3C spec is focusing on GATT, we will use separate bugs for these parts when we start the converging. I just open a meta bug for the alignment in Bug 1204396. Apologies for the confusion here.
(In reply to Jocelyn Liu [:jocelyn] [:joliu] [PTO from 12/23-1/6 GMT+8] from comment #20) > (In reply to Jeffrey Yasskin from comment #19) > > I believe the implemented API isn't exactly the same as the W3C spec, but > > Jocelyn's expressed interest in converging, and I believe then exposing the > > result to arbitrary websites like we're working on in Chrome: > > https://crbug.com/419413. That convergence and any extra security review > > should probably be a separate bug? > > Yes, this bug is actually focusing on the security review of our refined > bluetooth API on Firefox OS, which only covers classic bluetooth. > And W3C spec is focusing on GATT, we will use separate bugs for these parts > when we start the converging. > I just open a meta bug for the alignment in Bug 1204396. > Apologies for the confusion here. So with the shift in FxOS direction I would like to re-prioritize this bug and devote some time to it again. Do you think I should focus on this bug (making FxOS Classic Bluetooth API available to the web) or perhaps its more worthwhile focusing energy on the W3C spec? Which one would prefer I focus on? Personally I;m inclined to focus more on the W3C given the progress in that space, but I don't know how close our implementation is. If it is far away, do you think there is any value (or even possibility) of creating a polyfill for w3c, if we figure out a way to expose part of the existing FxOS API to the web.
Assignee: nobody → ptheriault
Flags: needinfo?(joliu)
Flags: needinfo?(btian)
|
|
Reporter | |
Comment 22•9 years ago
|
||
(In reply to Paul Theriault [:pauljt] from comment #21) > Which one would prefer I focus on? Personally I;m inclined to focus more on > the W3C given the progress in that space, but I don't know how close our > implementation is. If it is far away, do you think there is any value (or > even possibility) of creating a polyfill for w3c, if we figure out a way to > expose part of the existing FxOS API to the web. I would say W3C is more important, and we target to complete our implementation by June 2016. I'm not sure it's worth the effort of creating a polyfill first, but prefer to focus on our implementation.
Flags: needinfo?(btian)
|
|
||
Comment 23•8 years ago
|
||
(In reply to Ben Tian [:btian] from comment #22) > (In reply to Paul Theriault [:pauljt] from comment #21) > > Which one would prefer I focus on? Personally I;m inclined to focus more on > > the W3C given the progress in that space, but I don't know how close our > > implementation is. If it is far away, do you think there is any value (or > > even possibility) of creating a polyfill for w3c, if we figure out a way to > > expose part of the existing FxOS API to the web. > > I would say W3C is more important, and we target to complete our > implementation by June 2016. I'm not sure it's worth the effort of creating > a polyfill first, but prefer to focus on our implementation. Sorry for my late response, I was on PTO last week. I also think focusing on W3C spec first might be a better option here and prefer to focus on implementation rather than creating a polyfill. Thanks, Jocelyn
Flags: needinfo?(joliu)
(In reply to Jocelyn Liu [:jocelyn] [:joliu] from comment #23) > (In reply to Ben Tian [:btian] from comment #22) > > (In reply to Paul Theriault [:pauljt] from comment #21) > > > Which one would prefer I focus on? Personally I;m inclined to focus more on > > > the W3C given the progress in that space, but I don't know how close our > > > implementation is. If it is far away, do you think there is any value (or > > > even possibility) of creating a polyfill for w3c, if we figure out a way to > > > expose part of the existing FxOS API to the web. > > > > I would say W3C is more important, and we target to complete our > > implementation by June 2016. I'm not sure it's worth the effort of creating > > a polyfill first, but prefer to focus on our implementation. > > Sorry for my late response, I was on PTO last week. > I also think focusing on W3C spec first might be a better option here and > prefer to focus on implementation rather than creating a polyfill. > > Thanks, > Jocelyn Ok great - I saw on the bt mailing list that we are starting UI specs? Can someone link me to this?
Flags: needinfo?(brsun)
|
||
Comment 25•8 years ago
|
||
> Ok great - I saw on the bt mailing list that we are starting UI specs? Can
> someone link me to this?
Hi Paul,
There are no concrete materials yet. We are just about to start UX discussion this week. I will keep you updated. :)Flags: needinfo?(brsun)
bt2 dropped, removing review
Assignee: ptheriault → nobody
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: sec-review?(ptheriault)
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•