On 2014-10-02, 2:34 PM, Richard Barnes wrote:
On Sep 30, 2014, at 5:36 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com> wrote:
On 2014-09-30, 4:29 AM, Henri Sivonen wrote:
More immediately we should make it impossible to make persistent
grants for these features on unauthenticated origins.
This I agree with when it comes to privacy-sensitive API: Granting a
persistent permission to an http: origin amounts to granting a
persistent permission to everyone who in the future has a chance of
performing an active MITM attack on you.
I also think that we should definitely stop persisting the geolocation
permission grant for non-authenticated origins. I'm not really sure if web
compat allows us to remove support for the API completely (although admittedly
I don't have data on this.)
Either way, we should collect some data before we take action.
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
