Security Test: Excessive Browser Permissions¶
Description¶
Excessive browser permissions occur when web applications request more permissions than necessary from the browser, potentially leading to unauthorized data access or user tracking.
Remediation¶
-
Review and document all browser permissions requested by the web application:
- Analyze permissions in manifest files and API calls
- Document the purpose of each permission
- Identify any redundant or unnecessary permissions
-
Implement strict Permissions-Policy headers:
- Set appropriate directives (e.g., geolocation=(), camera=(), microphone=())
- Configure Content-Security-Policy headers
- Test functionality after implementing restrictions
-
Apply least privilege principle:
- Remove unnecessary permission requests
- Use feature detection instead of broad permissions
- Implement progressive enhancement where possible
-
Establish permission monitoring:
- Set up automated permission auditing
- Create alerts for unexpected permission changes
- Document permission changes in version control
-
Implement user transparency measures:
- Create clear permission request dialogs
- Provide context for each permission request
- Document permissions in privacy policy
- Allow users to manage permissions
-
Perform security review:
- Conduct periodic permission security assessments
- Test for permission-related vulnerabilities
- Review third-party components' permissions
-
Maintain security hygiene:
- Subscribe to browser security bulletins
- Update permission policies based on new browser features
- Review and update permissions documentation regularly
Frontend Specific¶
React
Review and limit the permissions requested by React applications to only those necessary for functionality, ensuring user data privacy and security.Angular
Review and limit the permissions requested by Angular applications to only those necessary for functionality, ensuring user data privacy and security.Vue
Review and limit the permissions requested by Vue components to only those necessary for functionality, ensuring user data privacy and security.Svelte
Review and limit browser permissions requested by Svelte applications to only those necessary for functionality, ensuring user privacy and security.Ember
Review and limit the permissions requested by your Ember application to only those necessary for its functionality, ensuring user privacy and security.Backbone
Review and limit the permissions requested by Backbone.js applications to only those necessary for functionality, ensuring user data privacy and security.Preact
Audit and limit browser permissions requested by Preact applications to only those necessary for functionality.Gatsby
Review and limit browser permissions requested by Gatsby plugins and components to only those necessary for functionality.Blazor
Review and limit browser permissions requested by Blazor applications to only those necessary for functionality, ensuring user privacy and security.Marko
Review and limit browser permissions requested by the Marko framework to only those essential for functionality, ensuring user privacy and security.Mithril
Review and limit the permissions requested by your Mithril application to only those necessary for its functionality, ensuring user privacy and security.Configuration¶
Identifier:
configuration/excessive_browser_permissions
Examples¶
Ignore this check¶
Score¶
- Escape Severity:
Compliance¶
- OWASP: API6:2023
- OWASP LLM: LLM06:2023
- pci: 6.2
- gdpr: Article-25
- soc2: CC6
- psd2: Article-96
- iso27001: A.12.7
- nist: SP800-53
- fedramp: SC-18
Classification¶
- CWE: 732
Score¶
- CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- CVSS_SCORE: 3.0