- From: Florian Bösch <pyalot@gmail.com>
- Date: Wed, 13 Jul 2016 12:45:37 +0200
- To: Sean McBeth <sean.mcbeth@primrosevr.com>
- Cc: Martin Splitt <mr.avgp@gmail.com>, Brandon Jones <bajones@google.com>, public-webvr@w3.org
- Message-ID: <CAOK8ODhCwwWTpwkDP4pPa3_Mr2HBx+bKyd9rW=FSMm=mzyDL7w@mail.gmail.com>
Also note that there is a long ongoing discussion to only allow fullscreen over secure origins. This has led to many web-pages (which embed the youtube or vimeo or any other video player) to not have a fullscreen button. It is not in the control of a service provider (like youtube) to mandate that their videos can only be embedded on secure origin pages. The same mechanism would prevent WebVR services from properly functioning as well. For instance, Sketchfab provides users with the ability to embed widgets in their own web pages. Sketchfab has no control over the transport those pages use. Therefore, if somebody embeds the sketchfab viewer on a non HTTPS page, their viewers WebVR feature would break. On Wed, Jul 13, 2016 at 12:36 PM, Sean McBeth <sean.mcbeth@primrosevr.com> wrote: > It comes to my attention that the issue with XmlHTTPRequest is not to do > with secure origins, but same-origin policy. So I also have to keep track > of multiple ways in which my page may not work, for no other reason than > "browser refuses to do what is syntactically correct". It's a serious > barrier to adoption for new developers. > On Jul 13, 2016 6:29 AM, "Sean McBeth" <sean.mcbeth@primrosevr.com> wrote: > >> >> On Jul 13, 2016 6:04 AM, "Martin Splitt" <mr.avgp@gmail.com> wrote: >> >> > >> We welcome feedback, especially if this policy makes your planned >> use case infeasible! >> > > >> > > TLS makes all kinds of things infeasible. >> > >> > Can you give a example? >> >> For one thing, your own file system is not considered a secure origin. >> I've ran into lots of people trying to get into WebVR that just don't >> understand what that means. They see a page, they see they can link to >> images on that page, they can double click on that file and see the >> results. It never occurs to then that they need to run a local web server. >> If they don't already know what that means, it's nearly impossible to >> explain the indirection. Why do they need a web server when the file is >> right there? >> >> I know several more people who have no idea how to setup a self-signed >> certificate on their machine to be able to test features on their own >> networks. OpenSSL is not that easy to install on Windows. A similar fiat >> decision was made for WebRTC. I eventually just copied the certs off of my >> production site and live with the cert warnings. S terrible solution to a >> stupid problem. >> >> Frankly, I've been a web dev for 20 years and it feels rather ridiculous >> that web dev is harder, more cumbersome *today*. I don't even get why >> disabling XmlHTTPRequest was necessary, rather than restricting it to the >> parent directory of the page. >> >> I agree with Florian. It's on Google to provide tools, not dictate how >> they are used. >> >
Received on Wednesday, 13 July 2016 10:46:09 UTC