On Thu, May 7, 2015 at 12:08 AM, Martin Thomson <m...@mozilla.com> wrote: > On Wed, May 6, 2015 at 11:55 AM, Adam Roach <a...@mozilla.com> wrote: >> Keep in mind the thesis of that plan isn't that we restrict >> security-sensitive features to https -- it's that /all new stuff/ is >> restricted to https. If this falls under the definition of a "new feature," >> and if it's going to be released after the embargo date, then the security >> properties of clipboard manipulation don't really enter into the evaluation. > > This is perhaps a little early to be applying that rule, since we > haven't really gotten far with the discussion with other browser > vendors yet (though we've had some preliminary discussions). > > I think that this is a great example of a feature that we could use to > test out the process for applying the policy.
I think this is the strongest argument for doing this. > Though I can understand > why there might be some resistance, we don't find out much if we don't > ask. Precisely. The upside: we try out aspects of our proposed policy with very little risk. The possible downside: we get negative feedback from developers, and end up delaying the broader support (whether http or other fewer restrictions) by one release. Given how long people have already waited for this, is this potential delay really that harmful? Especially in exchange for the upside. > I'm going to propose that we at least raise the question with other > browsers about restricting this feature to secure contexts. This is a reasonable next step. > The > answer might help inform us on whether pursuing the deprecation plan > as outlined is feasible. Exactly, we get to start trying out parts of the plan at relatively low risk. Like a drill of sorts. > Like Anne, I think that the benefit is > tangible to HTTPS-only, even it is small. Based on the arguments presented in this thread, I have been convinced of this too (tangible but small). Thanks, Tantek _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
