On 2015-05-06 6:48 PM, Tantek Çelik wrote:
On Thu, May 7, 2015 at 12:08 AM, Martin Thomson <m...@mozilla.com> wrote:
On Wed, May 6, 2015 at 11:55 AM, Adam Roach <a...@mozilla.com> wrote:
Keep in mind the thesis of that plan isn't that we restrict
security-sensitive features to https -- it's that /all new stuff/ is
restricted to https. If this falls under the definition of a "new feature,"
and if it's going to be released after the embargo date, then the security
properties of clipboard manipulation don't really enter into the evaluation.
This is perhaps a little early to be applying that rule, since we
haven't really gotten far with the discussion with other browser
vendors yet (though we've had some preliminary discussions).
I think that this is a great example of a feature that we could use to
test out the process for applying the policy.
I think this is the strongest argument for doing this.
FWIW I don't really understand why this question turned into us looking
for projects as a test bed for the HTTP deprecation plans. I still
don't think you've demonstrated why this is a problem in practice, and
why restricting this API to TLS and leaving the possibility to leverage
Flash to *literally* achieve the same result on HTTP is an improvement.
Though I can understand
why there might be some resistance, we don't find out much if we don't
ask.
Precisely.
The upside: we try out aspects of our proposed policy with very little risk.
The possible downside: we get negative feedback from developers, and
end up delaying the broader support (whether http or other fewer
restrictions) by one release. Given how long people have already
waited for this, is this potential delay really that harmful?
Especially in exchange for the upside.
What is it that you're actually proposing? I double read this thread
right now and I can't find a mention of a delay period. And what
problem are we solving again?
Like Anne, I think that the benefit is
tangible to HTTPS-only, even it is small.
Based on the arguments presented in this thread, I have been convinced
of this too (tangible but small).
What is the argument that convinced you? Protecting against someone
MITMing the connection of users who do not have Flash enabled to get
them to click somewhere on the page to copy something to the clipboard?
(I'm genuinely trying to understand what we're getting out of this.)
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
