On Sep 30, 2014, at 5:36 PM, Ehsan Akhgari ehsan.akhg...@gmail.com wrote:
On 2014-09-30, 4:29 AM, Henri Sivonen wrote:
More immediately we should make it impossible to make persistent
grants for these features on unauthenticated origins.
This I agree with when it comes to privacy-sensitive
On 2014-10-02, 2:34 PM, Richard Barnes wrote:
On Sep 30, 2014, at 5:36 PM, Ehsan Akhgari ehsan.akhg...@gmail.com wrote:
On 2014-09-30, 4:29 AM, Henri Sivonen wrote:
More immediately we should make it impossible to make persistent
grants for these features on unauthenticated origins.
This I
On 02/10/14 11:58, Ehsan Akhgari wrote:
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
I believe that usual practice before we remove something we don't like
is to provide some warning.
On 10/2/14 1:07 PM, Martin Thomson wrote:
On 02/10/14 11:58, Ehsan Akhgari wrote:
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
I believe that usual practice before we remove something we
On 2014-10-02, 4:07 PM, Martin Thomson wrote:
On 02/10/14 11:58, Ehsan Akhgari wrote:
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
I believe that usual practice before we remove something
On 2014-10-02, 4:38 PM, Justin Dolske wrote:
On 10/2/14 1:07 PM, Martin Thomson wrote:
On 02/10/14 11:58, Ehsan Akhgari wrote:
What data specifically? I'm fairly confident that we can make this
change no matter how many websites use geolocation from
non-authenticated origins.
I believe that
On Fri, Sep 26, 2014 at 10:58 PM, Anne van Kesteren ann...@annevk.nl wrote:
Exposing geolocation on unauthenticated origins was a mistake. Copying
that for getUserMedia() is too. I suggest that to protect our users we
make some noise about deprecating this practice. And that in that
message we
On 2014-09-30, 4:29 AM, Henri Sivonen wrote:
More immediately we should make it impossible to make persistent
grants for these features on unauthenticated origins.
This I agree with when it comes to privacy-sensitive API: Granting a
persistent permission to an http: origin amounts to granting
On 28 September 2014 17:38, Anne van Kesteren ann...@annevk.nl wrote:
On Sun, Sep 28, 2014 at 3:08 PM, Karl Dubost kdub...@mozilla.com wrote:
Imagine if I home developing my own little Web app on my computer, I
need to get through the hops of deploying TLS.
For testing purposes you can get
On Mon, Sep 29, 2014 at 2:02 AM, Adam Roach a...@mozilla.com wrote:
Yes, I saw that. Your proposal didn't see a lot of support in that venue.
So far for geolocation there is nobody that is opposed.
For getUserMedia() there are claims of extensive discussion that is
not actually recorded in
On Mon, Sep 29, 2014 at 8:01 AM, Dale Harvey d...@arandomurl.com wrote:
What is the definition of 'authenticated origins', particularly when dealing
with localhost,
https://w3c.github.io/webappsec/specs/mixedcontent/#authenticated-origin
This has already been a major painpoint as the author
There's a host of problems when you're using file URLs.
pun intended? :)
But I agree, for a long time developing off file:/// is pretty much
impossible and developers are now required to start a server in order to
build or use their entirely offline completely unconnected application, is
it
On Mon, Sep 29, 2014 at 12:19 PM, Dale Harvey d...@arandomurl.com wrote:
There's a host of problems when you're using file URLs.
pun intended? :)
Heh. (Note that file URLs apparently count as authenticated origins.
Which makes sense.)
But I agree, for a long time developing off file:/// is
On Mon, Sep 29, 2014 at 3:44 AM, Anne van Kesteren ann...@annevk.nl wrote:
On Mon, Sep 29, 2014 at 12:19 PM, Dale Harvey d...@arandomurl.com wrote:
There's a host of problems when you're using file URLs.
pun intended? :)
Heh. (Note that file URLs apparently count as authenticated
On 9/29/14 03:02, Anne van Kesteren wrote:
On Mon, Sep 29, 2014 at 2:02 AM, Adam Roach a...@mozilla.com wrote:
Yes, I saw that. Your proposal didn't see a lot of support in that venue.
So far for geolocation there is nobody that is opposed.
I'm responding on the topic of gUM, but I'll point
On Sat, Sep 27, 2014 at 10:10 PM, Richard Barnes rbar...@mozilla.com wrote:
Are you making an argument more subtle than everything should be HTTPS, so
we should make HTTP less functional?
I'm not sure where you see me making that argument in this thread. I
simply recommended we move to require
On Sun, Sep 28, 2014 at 3:08 PM, Karl Dubost kdub...@mozilla.com wrote:
Imagine if I home developing my own little Web app on my computer, I need to
get through the hops of deploying TLS.
For testing purposes you can get by without TLS just fine. As far as I
know the definition of
On Sep 28, 2014, at 6:26 AM, Anne van Kesteren ann...@annevk.nl wrote:
On Sat, Sep 27, 2014 at 10:10 PM, Richard Barnes rbar...@mozilla.com wrote:
Are you making an argument more subtle than everything should be HTTPS, so
we should make HTTP less functional?
I'm not sure where you see me
On Fri, Sep 26, 2014 at 12:58 PM, Anne van Kesteren ann...@annevk.nl
wrote:
Exposing geolocation on unauthenticated origins was a mistake. Copying
that for getUserMedia() is too. I suggest that to protect our users we
make some noise about deprecating this practice. And that in that
message
Le 29 sept. 2014 à 00:38, Anne van Kesteren ann...@annevk.nl a écrit :
It doesn't visibly and directly improve the life of people. In the big
scheme of things, it gives an additional layer of security on their
communications, but not privacy.
It gives privacy from passive and active
On 9/27/14 02:24, Anne van Kesteren wrote:
On Fri, Sep 26, 2014 at 11:11 PM, Adam Roach a...@mozilla.com wrote:
This is a matter for the relevant specification, not some secret cabal.
I was not proposing doing anything in secret.
I also contacted the relevant standards lists.
Yes, I saw
On Fri, Sep 26, 2014 at 11:06 PM, Richard Barnes rbar...@mozilla.com wrote:
It is not our job to break the HTTP-schemed web to force everyone to HTTPS.
It is for features where it matters for end users.
Users and web sites have been using geolocation on unauthenticated origins
for several
On Fri, Sep 26, 2014 at 11:11 PM, Adam Roach a...@mozilla.com wrote:
This is a matter for the relevant specification, not some secret cabal.
I was not proposing doing anything in secret.
I also contacted the relevant standards lists.
--
https://annevankesteren.nl/
On Sep 27, 2014, at 3:02 AM, Anne van Kesteren ann...@annevk.nl wrote:
On Fri, Sep 26, 2014 at 11:06 PM, Richard Barnes rbar...@mozilla.com wrote:
It is not our job to break the HTTP-schemed web to force everyone to HTTPS.
It is for features where it matters for end users.
Users and
Exposing geolocation on unauthenticated origins was a mistake. Copying
that for getUserMedia() is too. I suggest that to protect our users we
make some noise about deprecating this practice. And that in that
message we convey we plan to disable both on unauthenticated origins
once 2015 is over.
Speaking as someone who (1) chaired the IETF working group on geolocation and
privacy for several years, and (2) now manages PKI and crypto for Mozilla --
this is nonsense as stated. It is not our job to break the HTTP-schemed web to
force everyone to HTTPS.
Users and web sites have been
On 9/26/14 14:58, Anne van Kesteren wrote:
Exposing geolocation on unauthenticated origins was a mistake. Copying
that for getUserMedia() is too. I suggest that to protect our users we
make some noise about deprecating this practice.
There have already been extensive discussions on this
27 matches
Mail list logo
