On 2015-05-06 2:55 PM, Adam Roach wrote:
On 5/6/15 13:32, Jonas Sicking wrote:
Like Ehsan, I don't see what advantages limiting this to https brings?
In some ways, that depends on what we decide to define "new features" to
mean, and the release date of this feature relative to the date we
settle on in the announced security plan [1] of " Setting a date after
which all new features will be available only to secure websites."
If we use the example definition of "new features" to mean "features
that cannot be polyfilled," then this would qualify.
Keep in mind the thesis of that plan isn't that we restrict
security-sensitive features to https -- it's that /all new stuff/ is
restricted to https. If this falls under the definition of a "new
feature," and if it's going to be released after the embargo date, then
the security properties of clipboard manipulation don't really enter
into the evaluation.
I admit that I didn't real the entire HTTP deprecation plan thread
because of the length and the tone of some of the participants, so
perhaps I missed this, but reading
<https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/>
seems to suggest that there is going to be a date and criteria for what
new features mean, but I see no mention of what that date is, or what
the definition of new features is.
So before we come up with a plan for that, I think the security
properties of clipboard manipulation are exactly what we need to take
into consideration here.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
