RE: Requiring Authenticated Origins for Geolocation API's: Status

Hello All,

I would like to thank all of those who responded to this open solicitation for comments/opinions.  I’ll also call attention to the Chromium team’s plans on deprecation of support for “Powerful Features” for websites from unauthenticated origins:  http://lists.w3.org/Archives/Public/public-geolocation/2015Feb/0001.html.


However, given the responses received (and after consultations with the W3C Privacy and Interest Group during their F2F at IETF 92), I have concluded that the group is not in a position to make any normative requirements for authenticated origins and the Geolocation API.  There is no evidence of consensus, and more importantly there is no evidence of a commitment from other browser vendors to adopt similar plans to that of Chrome.  The group should nevertheless continue to monitor developments such as the Chromium team’s plans mentioned above, and see if other browser vendors follow suit.

-Giri Mandyam, W3C Geolocation Working Group Chair

From: Mandyam, Giridhar [mailto:mandyam@quicinc.com]
Sent: Wednesday, February 25, 2015 3:52 PM
To: public-geolocation
Cc: public-webappsec@w3.org; public-web-mobile@w3.org; www-tag@w3.org
Subject: Requiring Authenticated Origins for Geolocation API's: Status

As you may recall if you have been reading this list, there was an open call for comments on requiring authenticated origins for the Geoloc API.  There was one detailed response to this CFC from Martin Thomson of Mozilla (see http://lists.w3.org/Archives/Public/public-geolocation/2014Nov/0008.html), and some discussion after that.

Since that time, there has been related work coming out of WebAppSec that affects this area:


a)      The Mixed Content document (http://w3c.github.io/webappsec/specs/mixedcontent/) has continued to evolve.

b)      The Privileged Contexts (“Powerful Features”) document (http://w3c.github.io/webappsec/specs/powerfulfeatures/) has taken shape as well, with a section on legacy features using Geoloc. as an example:  see http://w3c.github.io/webappsec/specs/powerfulfeatures/#legacy.  Note that there are specific guidelines for sunsetting support for insecure origins in this section.

While useful, it is hard to determine whether these documents (particularly handling of Legacy Features as described in the Privileged Contexts doc) represent strategies that user agent vendors are willing to implement specifically for Geolocation.  It is also unclear whether developers who are using the Geolocation API will be able to adapt to sunsetting of support for insecure origins.  The feedback received so far on the CFC has not represented enough of the affected parties. Based on this, I would like to continue the call for comments on this list until April 1.

I have CC’ed the WebAppSec group and WebMob group, as there has been similar discussion in both groups.  I’ve also CC’ed the TAG.

-Giri Mandyam, W3C Geolocation Working Group Chair

From: Mandyam, Giridhar [mailto:mandyam@quicinc.com]
Sent: Wednesday, November 05, 2014 7:24 AM
To: public-geolocation
Subject: Requiring Authenticated Origins for Geolocation API's: Open Call for Comments (deadline - February 1, 2015)

As was discussed at TPAC 2014, the topic of requiring authenticated origins for geolocation is now being taken up in the form of an open call for comments on the public-geo mailing list.  An overview of the issue was presented at last week’s face-to-face meeting:  https://www.w3.org/2008/geolocation/wiki/images/1/12/Geolocation_-_Trusted_Origin.pdf.  The definition of “authenticated origin” may be found at http://w3c.github.io/webappsec/specs/mixedcontent/.  This requirement would apply to all specifications developed by the Geolocation Working Group.

As decided at that meeting, before acting upon this issue it is important to gather feedback from affected parties.  This includes web service providers, developers, and browser (web runtime engine) vendors.

The following is requested from respondents:


a)      If you are against requiring authenticated origins for geolocation API’s, please state so and state your reasons for objection.

b)      If you are in favor of requiring authenticated origins for geolocation API’s, please state so and your reasons for support.  In addition, please provide a proposal for how support for unauthenticated origins could be phased out (e.g. a schedule for developer evangelization, warning dialog boxes in browsers, hard cutoff for ending support in browsers).

After responses are received, I will do my best to compile results and provide a representative synopsis of the feedback.  I hope this call for comments is clear as written above, but if not please let me know.

-Giri Mandyam, Geolocation Working Group Chair

P

Received on Saturday, 4 April 2015 16:16:34 UTC