- From: Nicholas Doty <npdoty@w3.org>
- Date: Fri, 7 Nov 2014 15:39:01 -0800
- To: Mounir Lamouri <mounir@lamouri.fr>
- Cc: public-geolocation@w3.org, mkwst@google.com
- Message-Id: <F01312D6-0B22-4DCE-902F-3126A15E227D@w3.org>
On November 6, 2014, at 1:21 PM, Mounir Lamouri <mounir@lamouri.fr> wrote: > On Thu, 6 Nov 2014, at 05:10, Martin Thomson wrote: >> An authenticated origin is not sufficient to prevent situations where >> users release information. For an authenticated origin to provide >> meaningful protection, users not only need to verify that the site is >> authenticated (for which there is ample evidence that they do not), >> they also need to ensure that it is the site that they intend to send >> this information to. That's much, much harder. > > Also, an issue with using the geolocation api over insecure origins (and > especially http) is that you might end up passing in clear trough the > wire some personal and identifiable information, which obviously, isn't > a great idea. We should be careful in considering the threat model. That the JavaScript that initiates a geolocation call was loaded over a secure transport doesn't guarantee confidentiality from a passive attacker: a Web developer might append the user's latitude and longitude to the src of an img loaded over HTTP, for example. It might still help, since HTTPS origins will have more of their resources loaded over HTTPS because of mixed content blocking, but I think we'd also want to give separate guidance to Web developers about avoiding sending sensitive information in the clear. Nick
Received on Friday, 7 November 2014 23:39:11 UTC