rspec/rules/S5604/javascript/rule.adoc

https://www.w3.org/TR/permissions/#powerful-feature[Powerful features] are browser features (geolocation, camera, microphone ...) that can be accessed with JavaScript API and may require a permission granted by the user. These features can have a high impact on privacy and user security thus they should only be used if they are really necessary to implement the critical parts of an application.


This rule highlights intrusive permissions when requested with https://developer.mozilla.org/en-US/docs/Web/API/Permissions/query[the future standard (but currently experimental) web browser query API] and specific APIs related to the permission. It is highly recommended to customize this rule with the permissions considered as intrusive in the context of the web application.

== Ask Yourself Whether

* Some powerful features used by the application are not really necessary.
* Users are not clearly informed why and when powerful features are used by the application.

You are at risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

* In order to respect user privacy it is recommended to avoid using intrusive powerful features.

== Sensitive Code Example

When using https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API[geolocation API], Firefox for example retrieves personal information like nearby wireless access points and IP address and sends it to the default geolocation service provider, https://www.google.com/privacy/lsf.html[Google Location Services]:

----
navigator.permissions.query({name:"geolocation"}).then(function(result) {
});  // Sensitive: geolocation is a powerful feature with high privacy concerns

navigator.geolocation.getCurrentPosition(function(position) {
  console.log("coordinates x="+position.coords.latitude+" and y="+position.coords.longitude);
}); // Sensitive: geolocation is a powerful feature with high privacy concerns
----

== Compliant Solution

If geolocation is required, always explain to the user why the application needs it and prefer requesting an approximate location when possible:

[source,javascript]
----
<html>
<head>
    <title>
        Retailer website example
    </title>
</head>
<body>
    Type a city, street or zip code where you want to retrieve the closest retail locations of our products:
    <form method=post>
        <input type=text value="New York"> <!-- Compliant -->
    </form>
</body>
</html>
----

== See

* OWASP - https://owasp.org/Top10/A01_2021-Broken_Access_Control/[Top 10 2021 Category A1 - Broken Access Control]
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Web Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/250[CWE-250 - Execution with Unnecessary Privileges]
* CWE - https://cwe.mitre.org/data/definitions/359[CWE-359 - Exposure of Private Information]
* https://www.w3.org/TR/permissions/[W3C] - Permissions
* https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites[Mozilla] - Does Firefox share my location with websites?
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure the use of [xxx] is necessary.


=== Parameters

.permissions
****
_string_

----
geolocation
----

Comma-separated list of intrusive permissions to report (supported values: geolocation, camera, microphone, notifications, persistent-storage)
****


endif::env-github,rspecator-view[]