Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

>
>
> A nit: The restriction of "Powerful Features" to HTTPS isn't primarily to
> encourage HTTPS adoption: it's because these features are potentially
> dangerous,
>

Yes, true.  The motivation to move to https is only a small facet of the
motivation there.

However - if in light of new requirements I had to choose solution spaces
between "Powerful Features" and possibly allowing users to grant something
like Geolocation permissions to an insecure app (perhaps with extra
warnings, in-context, at that point) vs. "Mixed-Content" and possibly
undermining or complicating the basic guarantees of HTTPS for all users and
all applications on the platform, I would still choose to work in the
"Powerful Features" solution space in a heartbeat.

The possible compromises and consequences in the "Mixed-Content" space
(outside of optimistic upgrade) all have much more collateral damage.

-Brad

Received on Monday, 5 January 2015 23:54:00 UTC