Skip to content

Security Test: Excessive Browser Permissions

Description

Excessive browser permissions occur when web applications request more permissions than necessary from the browser, potentially leading to unauthorized data access or user tracking.

Remediation

  1. Review and document all browser permissions requested by the web application:

    • Analyze permissions in manifest files and API calls
    • Document the purpose of each permission
    • Identify any redundant or unnecessary permissions
  2. Implement strict Permissions-Policy headers:

    • Set appropriate directives (e.g., geolocation=(), camera=(), microphone=())
    • Configure Content-Security-Policy headers
    • Test functionality after implementing restrictions
  3. Apply least privilege principle:

    • Remove unnecessary permission requests
    • Use feature detection instead of broad permissions
    • Implement progressive enhancement where possible
  4. Establish permission monitoring:

    • Set up automated permission auditing
    • Create alerts for unexpected permission changes
    • Document permission changes in version control
  5. Implement user transparency measures:

    • Create clear permission request dialogs
    • Provide context for each permission request
    • Document permissions in privacy policy
    • Allow users to manage permissions
  6. Perform security review:

    • Conduct periodic permission security assessments
    • Test for permission-related vulnerabilities
    • Review third-party components' permissions
  7. Maintain security hygiene:

    • Subscribe to browser security bulletins
    • Update permission policies based on new browser features
    • Review and update permissions documentation regularly

Frontend Specific

React Review and limit the permissions requested by React applications to only those necessary for functionality, ensuring user data privacy and security.
Angular Review and limit the permissions requested by Angular applications to only those necessary for functionality, ensuring user data privacy and security.
Vue Review and limit the permissions requested by Vue components to only those necessary for functionality, ensuring user data privacy and security.
Svelte Review and limit browser permissions requested by Svelte applications to only those necessary for functionality, ensuring user privacy and security.
Ember Review and limit the permissions requested by your Ember application to only those necessary for its functionality, ensuring user privacy and security.
Backbone Review and limit the permissions requested by Backbone.js applications to only those necessary for functionality, ensuring user data privacy and security.
Preact Audit and limit browser permissions requested by Preact applications to only those necessary for functionality.
Gatsby Review and limit browser permissions requested by Gatsby plugins and components to only those necessary for functionality.
Blazor Review and limit browser permissions requested by Blazor applications to only those necessary for functionality, ensuring user privacy and security.
Marko Review and limit browser permissions requested by the Marko framework to only those essential for functionality, ensuring user privacy and security.
Mithril Review and limit the permissions requested by your Mithril application to only those necessary for its functionality, ensuring user privacy and security.

Configuration

Identifier: configuration/excessive_browser_permissions

Examples

Ignore this check

checks:
  configuration/excessive_browser_permissions:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API6:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.2
  • gdpr: Article-25
  • soc2: CC6
  • psd2: Article-96
  • iso27001: A.12.7
  • nist: SP800-53
  • fedramp: SC-18

Classification

  • CWE: 732

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CVSS_SCORE: 3.0