• Home
• org.sonarsource.javascript
• javascript-checks
• 10.15.0.27423
• source code
• S5604.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S5604.html Maven / Gradle / Ivy

Powerful features are browser features (geolocation, camera, microphone …​) that
can be accessed with JavaScript API and may require a permission granted by the user. These features can have a high impact on privacy and user
security thus they should only be used if they are really necessary to implement the critical parts of an application.
This rule highlights intrusive permissions when requested with the
future standard (but currently experimental) web browser query API and specific APIs related to the permission. It is highly recommended to
customize this rule with the permissions considered as intrusive in the context of the web application.
Ask Yourself Whether

  
 Some powerful features used by the application are not really necessary. 
  
 Users are not clearly informed why and when powerful features are used by the application. 

You are at risk if you answered yes to any of those questions.
Recommended Secure Coding Practices

  
 In order to respect user privacy it is recommended to avoid using intrusive powerful features. 

Sensitive Code Example
When using geolocation API, Firefox for example retrieves personal
information like nearby wireless access points and IP address and sends it to the default geolocation service provider, Google Location Services:
navigator.permissions.query({name:"geolocation"}).then(function(result) {
});  // Sensitive: geolocation is a powerful feature with high privacy concerns

navigator.geolocation.getCurrentPosition(function(position) {
  console.log("coordinates x="+position.coords.latitude+" and y="+position.coords.longitude);
}); // Sensitive: geolocation is a powerful feature with high privacy concerns

Compliant Solution
If geolocation is required, always explain to the user why the application needs it and prefer requesting an approximate location when
possible:
<html>
<head>
    <title>
        Retailer website example
    </title>
</head>
<body>
    Type a city, street or zip code where you want to retrieve the closest retail locations of our products:
    <form method=post>
        <input type=text value="New York"> <!-- Compliant -->
    </form>
</body>
</html>

See

  
 OWASP - Top 10 2021 Category A1 - Broken Access Control 
  
 OWASP - Web Top 10 2017 Category A3 - Sensitive Data
  Exposure 
  
 CWE - CWE-250 - Execution with Unnecessary Privileges 
  
 CWE - CWE-359 - Exposure of Private Information 
  
 W3C - Permissions 
  
 Mozilla - Does Firefox share my location with
  websites?