On 2014-10-02, 4:38 PM, Justin Dolske wrote:
On 10/2/14 1:07 PM, Martin Thomson wrote:
On 02/10/14 11:58, Ehsan Akhgari wrote:
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
I believe that
On 2014-10-02, 4:07 PM, Martin Thomson wrote:
On 02/10/14 11:58, Ehsan Akhgari wrote:
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
I believe that usual practice before we remove something
On 10/2/14 1:07 PM, Martin Thomson wrote:
On 02/10/14 11:58, Ehsan Akhgari wrote:
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
I believe that usual practice before we remove something we d
On 02/10/14 11:58, Ehsan Akhgari wrote:
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
I believe that usual practice before we remove something we don't like
is to provide some warning. The
On 2014-10-02, 2:34 PM, Richard Barnes wrote:
On Sep 30, 2014, at 5:36 PM, Ehsan Akhgari wrote:
On 2014-09-30, 4:29 AM, Henri Sivonen wrote:
More immediately we should make it impossible to make persistent
grants for these features on unauthenticated origins.
This I agree with when it come
On Sep 30, 2014, at 5:36 PM, Ehsan Akhgari wrote:
> On 2014-09-30, 4:29 AM, Henri Sivonen wrote:
>>> More immediately we should make it impossible to make persistent
>>> grants for these features on unauthenticated origins.
>>
>> This I agree with when it comes to privacy-sensitive API: Grantin
On 2014-09-30, 4:29 AM, Henri Sivonen wrote:
More immediately we should make it impossible to make persistent
grants for these features on unauthenticated origins.
This I agree with when it comes to privacy-sensitive API: Granting a
persistent permission to an http: origin amounts to granting a
On Fri, Sep 26, 2014 at 10:58 PM, Anne van Kesteren wrote:
> Exposing geolocation on unauthenticated origins was a mistake. Copying
> that for getUserMedia() is too. I suggest that to protect our users we
> make some noise about deprecating this practice. And that in that
> message we convey we pl
On 9/29/14 03:02, Anne van Kesteren wrote:
On Mon, Sep 29, 2014 at 2:02 AM, Adam Roach wrote:
Yes, I saw that. Your proposal didn't see a lot of support in that venue.
So far for geolocation there is nobody that is opposed.
I'm responding on the topic of gUM, but I'll point out that a respon
On Mon, Sep 29, 2014 at 3:44 AM, Anne van Kesteren wrote:
> On Mon, Sep 29, 2014 at 12:19 PM, Dale Harvey wrote:
> >> There's a host of problems when you're using file URLs.
> >
> > pun intended? :)
>
> Heh. (Note that file URLs apparently count as authenticated origins.
> Which makes sense.)
On Mon, Sep 29, 2014 at 12:19 PM, Dale Harvey wrote:
>> There's a host of problems when you're using file URLs.
>
> pun intended? :)
Heh. (Note that file URLs apparently count as authenticated origins.
Which makes sense.)
> But I agree, for a long time developing off file:/// is pretty much
> i
> There's a host of problems when you're using file URLs.
pun intended? :)
But I agree, for a long time developing off file:/// is pretty much
impossible and developers are now required to start a server in order to
build or use their entirely offline completely unconnected application, is
it rea
On Mon, Sep 29, 2014 at 8:01 AM, Dale Harvey wrote:
> What is the definition of 'authenticated origins', particularly when dealing
> with localhost,
https://w3c.github.io/webappsec/specs/mixedcontent/#authenticated-origin
> This has already been a major painpoint as the author of an IndexedDB
>
On Mon, Sep 29, 2014 at 2:02 AM, Adam Roach wrote:
> Yes, I saw that. Your proposal didn't see a lot of support in that venue.
So far for geolocation there is nobody that is opposed.
For getUserMedia() there are claims of extensive discussion that is
not actually recorded in text. There was also
On 28 September 2014 17:38, Anne van Kesteren wrote:
> On Sun, Sep 28, 2014 at 3:08 PM, Karl Dubost wrote:
> > Imagine if I home developing my own little Web app on my computer, I
> need to get through the hops of deploying TLS.
>
> For testing purposes you can get by without TLS just fine. As f
On 9/27/14 02:24, Anne van Kesteren wrote:
On Fri, Sep 26, 2014 at 11:11 PM, Adam Roach wrote:
This is a matter for the relevant specification, not some secret cabal.
I was not proposing doing anything in secret.
I also contacted the relevant standards lists.
Yes, I saw that. Your proposa
Le 29 sept. 2014 à 00:38, Anne van Kesteren a écrit :
>> It doesn't visibly and directly improve the life of people. In the big
>> scheme of things, it gives an additional layer of security on their
>> communications, but not privacy.
>
> It gives privacy from passive and active network attack
On Fri, Sep 26, 2014 at 12:58 PM, Anne van Kesteren
wrote:
> Exposing geolocation on unauthenticated origins was a mistake. Copying
> that for getUserMedia() is too. I suggest that to protect our users we
> make some noise about deprecating this practice. And that in that
> message we convey we p
On Sep 28, 2014, at 6:26 AM, Anne van Kesteren wrote:
> On Sat, Sep 27, 2014 at 10:10 PM, Richard Barnes wrote:
>> Are you making an argument more subtle than "everything should be HTTPS, so
>> we should make HTTP less functional"?
>
> I'm not sure where you see me making that argument in thi
On Sun, Sep 28, 2014 at 3:08 PM, Karl Dubost wrote:
> Imagine if I home developing my own little Web app on my computer, I need to
> get through the hops of deploying TLS.
For testing purposes you can get by without TLS just fine. As far as I
know the definition of authenticated origin includes
Anne,
Le 28 sept. 2014 à 19:26, Anne van Kesteren a écrit :
> I'm not sure where you see me making that argument in this thread. I
> simply recommended we move to require TLS for privacy-sensitive APIs.
I'm usually pushing privacy (or more exactly opacity) very hard, almost in a
paranoid way. T
On Sat, Sep 27, 2014 at 10:10 PM, Richard Barnes wrote:
> Are you making an argument more subtle than "everything should be HTTPS, so
> we should make HTTP less functional"?
I'm not sure where you see me making that argument in this thread. I
simply recommended we move to require TLS for privacy
On Sep 27, 2014, at 3:02 AM, Anne van Kesteren wrote:
> On Fri, Sep 26, 2014 at 11:06 PM, Richard Barnes wrote:
>> It is not our job to break the HTTP-schemed web to force everyone to HTTPS.
>
> It is for features where it matters for end users.
>
>
>> Users and web sites have been using geo
On Fri, Sep 26, 2014 at 11:11 PM, Adam Roach wrote:
> This is a matter for the relevant specification, not some secret cabal.
I was not proposing doing anything in secret.
I also contacted the relevant standards lists.
--
https://annevankesteren.nl/
___
On Fri, Sep 26, 2014 at 11:06 PM, Richard Barnes wrote:
> It is not our job to break the HTTP-schemed web to force everyone to HTTPS.
It is for features where it matters for end users.
> Users and web sites have been using geolocation on unauthenticated origins
> for several years now without
On 9/26/14 14:58, Anne van Kesteren wrote:
Exposing geolocation on unauthenticated origins was a mistake. Copying
that for getUserMedia() is too. I suggest that to protect our users we
make some noise about deprecating this practice.
There have already been extensive discussions on this specifi
Speaking as someone who (1) chaired the IETF working group on geolocation and
privacy for several years, and (2) now manages PKI and crypto for Mozilla --
this is nonsense as stated. It is not our job to break the HTTP-schemed web to
force everyone to HTTPS.
Users and web sites have been using
Exposing geolocation on unauthenticated origins was a mistake. Copying
that for getUserMedia() is too. I suggest that to protect our users we
make some noise about deprecating this practice. And that in that
message we convey we plan to disable both on unauthenticated origins
once 2015 is over.
Mo
28 matches
Mail list logo
