Re: Requiring Authenticated Origins for Geolocation API's: Open Call for Comments (deadline - February 1, 2015)

* Chris Palmer wrote:
>People expect that, like automotive engineers, software engineers are
>not deliberately making basic functionality unsafe. Nobody wants their
>engine block to explode upon ignition, and nobody wants goats.com to
>broadcast their GPS coordinates over the internet in the clear. And
>when they give goats.com permission to access the GPS coordinates,
>they expect to give it to *goats.com*, not "any ISP, attacker, or
>other entity who likes to inject JavaScript into pages they don't
>own".

It seems much more reasonable for them to expect that "goats.com" is
going to broadcast the coordinates and other identifying information
to any number of third parties without their knowledge or permission
for hyperlocal marketing and worse. Possibly not even intentionally,
the coordinates might simply end up in an address that a third party
analytics script picks up. Users may also fail to realise the site's
going to publically broadcast the coordinates as part of some user's
profile status page. Just a week ago I overheard a young woman who's
complaining about some social media site doing something like this.

>HTTPS provides people the ability to grant a permission to a named
>origin, rather than any ISP, attacker, or other entity who likes to
>inject JavaScript into pages they don't own. It provides people some
>confidence that the origin is not (intentionally, at least)
>broadcasting the person's GPS coordinates to anyone on the internet.

I do not think it should.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 

Received on Tuesday, 2 December 2014 00:38:48 UTC