OWASP
Our European friends asked us to consider making 10.2.2 Level-1
| 10.2.2 | Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location. |
|---|
Seems like a V8 requirement, briefly touched in https://github.com/OWASP/ASVS/issues/1005
I can support a move to 8.x but we need to make this specific to the browser, e.g. contacts are not relevant as that should be an MASVS thing.
With @tghosth here, the wording is very MASVS and mobile as if we are talking traditional devices, the sensors element don't often come into play as they would do in mobile. I get the GDPR-like want here (8.3) but wouldn't say this needs to be merged into that, it still should prevent unnecessary requesting access to WebRTC and subsequently camera/mic etc.
Now do we rely on the browser to control that, as say it does with Chrome where a popup asks user to block/allow or should we go deeper and add a step before that?
.... I agree with the comment that 10.2.2 level 1
Originally posted by @danielcuthbert in https://github.com/OWASP/ASVS/issues/1468#issuecomment-1366490553
Re-open, current requirement:
| # | Description | L1 | L2 | L3 | CWE |
|---|---|---|---|---|---|
| 8.3.11 | [MODIFIED, MOVED FROM 10.2.2, LEVEL L2 > L1] Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as cameras, microphones, or location. | ✓ | ✓ | ✓ | 272 |
I think we need to place the requirement to front-end category. We should keep in mind https://github.com/OWASP/ASVS/issues/1755
I understand why you are suggesting a V50 but this does seem like a classic, "don't collect too much data" requirement which is why it fits V8 so well. It is also more of a business control than a technical control I think. I'm not sure I agree with moving it to V50.