Closed Bug 1095417 Opened 5 years ago Closed 3 years ago

Secreview for Privileged NFC API

Categories

(mozilla.org :: Security Assurance: Review Request, task)

ARM
Gonk (Firefox OS)
task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: allstars.chh, Assigned: arroway)

References

Details

For the next milestone of NFC API we'd like to make some of NFC API privileged.

The first stage will be make current NFC-sharing API as privileged, which includes
- onpeerready/onpeerlost in MozNFC [1]
- MozNFCPeer.webidl [2]
- MozNFCPeerEvent.webidl [3]

These features are currently used by certified Apps like Gallery, Music, Video and System app since FirefoxOS v2.0. (Browser app has been replaced by System Browser in v2.1)
And the way it works please look back to Bug 933136. Basically how it works is System app (or Shrinking UI) will notify the information of the current foreground app to Gecko,
then Gecko will dispatch onpeerready to the app.

Also we would like to change the permission a little bit.
We will merge nfc-read/nfc-write into 'nfc', and make it privilege ALLOWED in Bug 1048676.

The reason why to make it privilege ALLOW instead of privileged PROMPTED is because of the usage of NFC.
User has to put his phone to a NFC device or tag within 3 ~ 5 cm, which I think already contains some degree of trust from the user.

We'd still keep nfc-manager as certified permission, also for some new features still in developement like ontagfound/lost, we will use 
'nfc-manager' to protect them for now (Bug 1048676).

[1]: http://dxr.mozilla.org/mozilla-central/source/dom/webidl/MozNFC.webidl#89
     http://dxr.mozilla.org/mozilla-central/source/dom/webidl/MozNFC.webidl#102

[2]: http://dxr.mozilla.org/mozilla-central/source/dom/webidl/MozNFCPeer.webidl

[3]: http://dxr.mozilla.org/mozilla-central/source/dom/webidl/MozNFCPeerEvent.webidl
Flags: sec-review?(ptheriault)
To be updated we change to open the followings to privileged 

- MozNFC
* ontagfound
* ontaglost
* onpeerfound
* onpeerlost

- MozNFCTag
* readNDEF
* writeNDEF
* some other attributes.

- MozNFCPeer
* sendNDEF
* some other attributes.

- MozNFCTagEvent (will be passed in ontagfound)
- MozNFCPeerEvent (will be passed in onpeerfound/onpeerready)
Paul said secure review should NOT block moving NFC API to privileged, but should block next FirefoxOS release.
No longer blocks: b2g-nfc-privilege
Flags: sec-review?(ptheriault) → sec-review?(stephouillon)
(In reply to Yoshi Huang[:allstars.chh] from comment #2)
> Paul said secure review should NOT block moving NFC API to privileged, but
> should block next FirefoxOS release.

Yes I did, please go ahead and make the change that need for now. Stephanie can I get you to finish off the review here? The APIs above sound ok to me to be exposed to privileged apps, but we should probably do some testing once the change lands to look for edge cases etc.
Assignee: nobody → stephouillon
Hi Yoshi, 

the only question I have is related to the concern raised in bug 1082453 comment 1, about letting the applications handle themselves BT and Wi-Fi. Is it still planned?
Flags: needinfo?(allstars.chh)
(In reply to Stephanie Ouillon [:arroway] from comment #4)
> Hi Yoshi, 
> 
> the only question I have is related to the concern raised in bug 1082453
> comment 1, about letting the applications handle themselves BT and Wi-Fi. Is
> it still planned?

Hi Stephanie
What NFC API is missing now is the NFC Handover API, i.e. API to exchange the BT/Wifi information. Once the App gets the BT/WIFI information of the other device, the remaining depends on the BT/WiFi API will be privileged or not, or when will they be.

On the other hand, if the App just wants to share data, 
the alternatives for sharing is to use MozActivity, and we might need a new MozActivity to handle 'nfc-share'.
Flags: needinfo?(allstars.chh)
(In reply to Yoshi Huang[:allstars.chh] from comment #5)
> What NFC API is missing now is the NFC Handover API, i.e. API to exchange
> the BT/Wifi information. Once the App gets the BT/WIFI information of the
> other device, the remaining depends on the BT/WiFi API will be privileged or
> not, or when will they be.
>

So, if I understand correctly, in the future, if an app uses this NFC handover API, it would still require the bluetooth or wifi-manage permissions to use the BT/WiFi APIs? 
The NFC Handover API wouldn't handle transparently the actions for turning on BT/WiFi, connecting to a device, sharing the data, shutting down BT/WiFi, right?
(In reply to Stephanie Ouillon [:arroway] from comment #6)
 > So, if I understand correctly, in the future, if an app uses this NFC
> handover API, it would still require the bluetooth or wifi-manage
> permissions to use the BT/WiFi APIs? 
> The NFC Handover API wouldn't handle transparently the actions for turning
> on BT/WiFi, connecting to a device, sharing the data, shutting down BT/WiFi,
> right?

Yeah, that's the idea.
This sounds ok, I'll do additionnal testing when it lands.
Flags: sec-review?(stephouillon) → sec-review+
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.