RE: Require authenticated origin for geolocation from Mandyam, Giridhar on 2014-09-27 (public-geolocation@w3.org from September 2014)

From: Mandyam, Giridhar <mandyam@quicinc.com>
Date: Sat, 27 Sep 2014 15:24:20 +0000
To: Doug Turner <doug.turner@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
CC: Ryan Sleevi <sleevi@google.com>, Chris Palmer <palmer@google.com>, public-geolocation <public-geolocation@w3.org>
Message-ID: <5e6972f51aec4151a1283cf2e003c399@NASANEXM01C.na.qualcomm.com>

Anne,
I personally don’t have a problem with this, as I believe this would be necessary for certain geolocation use cases in the context of payments or dispatch (won’t go into details here – you can refer to my papers in this year’s Web Payments and Web Crypto Worskhops). In other words, it is not just a pervasive monitoring concern.  We can add this to the TPAC agenda to discuss further.

May I ask why you did not suggest a similar 3-step plan of action for gUM?  It seems like an approach that can be adopted broadly within the W3C for sensitive API’s.

-Giri


From: Doug Turner [mailto:doug.turner@gmail.com]
Sent: Saturday, September 27, 2014 1:19 AM
To: Anne van Kesteren
Cc: Ryan Sleevi; Chris Palmer; public-geolocation
Subject: Re: Require authenticated origin for geolocation


+1
On Sep 27, 2014 8:24 AM, "Anne van Kesteren" <annevk@annevk.nl<mailto:annevk@annevk.nl>> wrote:
Given http://tools.ietf.org/html/rfc7258 I think we should reconsider
whether to expose geolocation to unauthenticated origins. I don't
think this was duly considered at the time the API was released.

Furthermore, I think that if we agree this is a problem, we could
create a plan for phasing out support where no TLS is involved.

1) Start warning for usage right away.
2) Have developer evangelists spread the date when it will be disabled
(end of 2015?).
3) Disable it.


--
https://annevankesteren.nl/

Received on Saturday, 27 September 2014 15:24:50 UTC