[Bug 26332] Applications should only use EME APIs on secure origins (e.g. HTTPS) from bugzilla@jessica.w3.org on 2014-08-12 (public-html-bugzilla@w3.org from August 2014)

From: <bugzilla@jessica.w3.org>
Date: Tue, 12 Aug 2014 16:59:40 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-26332-2486-sA66FmBeOB@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26332

Anne <annevk@annevk.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |annevk@annevk.nl

--- Comment #21 from Anne <annevk@annevk.nl> ---
(In reply to Mark Watson from comment #17)
> As with any web API, it is for the UA implementor to take care about what
> information they expose, to obtain suitable user consent for exposure of
> information etc. It's not something where the specification needs to dictate
> to UA implementors.

Actually that is false. A standard can definitely require that an API is only
exposed on secure origins, even if that API requires further user opt in. This
protects the end user from potential harm. We have not been good with this in
the past (e.g. geolocation works on insecure pages), but we should be going
forward.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Tuesday, 12 August 2014 16:59:42 UTC