Applications should stop using settings permission to just get locale info

RESOLVED INVALID

Status

Firefox OS
General
RESOLVED INVALID
5 years ago
7 months ago

People

(Reporter: st3fan, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
This is related to https://bugzilla.mozilla.org/show_bug.cgi?id=841071

It seems the only reason that many of the built-in applications need the "settings" permissions it to access language.current to find the current locale.

This is done in gaia/shared/js/l10n.js and depending on that module implicitely means that the "settings":{"readonly"} is required.

Because access to the settings is an all-or-nothing deal, this has big security implications. Specially since sensitive info is stored in the settings.

I am filing this bug to find out if it is possible to use the locale info from navigator.language instead. This is a public property for which no special permission is needed.

If navigator.language is usable then I think many of the built-in apps can drop the settings permission requirement.

This can be a solution for both certified and privileged applications.

This can also possibly be a much simpler solution than a complete redesign of the Settings API as discussed in bug 841071. (Although I think a 'tiered' model would still be very appropriate there)

(I was not sure where to file this so I have moved it to General. Please move if needed.)
Stefan - Do you think this is worth tracking for v1? Important enough to stop ship?
The reason apps aren't using navigator.language is that there's no way of detecting when it changes other than constantly polling. So we need bug 780953 fixed in order to make navigator.language a good alternative.
Depends on: 780953
OS: Mac OS X → All
Hardware: x86 → All
(Reporter)

Updated

5 years ago
Blocks: 754747
Blocks: 876396
Blocks: 866876
No longer blocks: 876396
FxOS no longer in codebase. Marking INVALID.
Status: NEW → RESOLVED
Last Resolved: 7 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.