Consider making 10.2.2 Level-1 > modify and move 10.2.2 to 8.3

[jmanico]

10.2.2	Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as contacts, cameras, microphones, or location.

[elarlang]

Seems like a V8 requirement, briefly touched in #1005

[elarlang]

Proposal: move this to 8.3, not sure about level 1

[tghosth]

I can support a move to 8.x but we need to make this specific to the browser, e.g. contacts are not relevant as that should be an MASVS thing.

[danielcuthbert]

With @tghosth here, the wording is very MASVS and mobile as if we are talking traditional devices, the sensors element don't often come into play as they would do in mobile. I get the GDPR-like want here (8.3) but wouldn't say this needs to be merged into that, it still should prevent unnecessary requesting access to WebRTC and subsequently camera/mic etc.

Now do we rely on the browser to control that, as say it does with Chrome where a popup asks user to block/allow or should we go deeper and add a step before that?

[tghosth]

.... I agree with the comment that 10.2.2 level 1

Originally posted by @danielcuthbert in #1468 (comment)

[tghosth]

Opened #1666 to resolve

[elarlang]

Re-open, current requirement:

#	Description	L1	L2	L3	CWE
8.3.11	[MODIFIED, MOVED FROM 10.2.2, LEVEL L2 > L1] Verify that the application does not ask for unnecessary or excessive permissions to privacy related features or sensors, such as cameras, microphones, or location.	✓	✓	✓	272

I think we need to place the requirement to front-end category. We should keep in mind #1755

[tghosth]

I understand why you are suggesting a V50 but this does seem like a classic, "don't collect too much data" requirement which is why it fits V8 so well. It is also more of a business control than a technical control I think. I'm not sure I agree with moving it to V50.

[elarlang]

Ok, the requirement cooking in #1755 seems to be more V50 material.