- From: Navid Zolghadr via GitHub <noreply@w3.org>
- Date: Mon, 23 Jun 2025 14:03:26 +0000
- To: public-pointer-events@w3.org
@szmarczak this PR was merged a while ago and I do encourage you to file a new issue as that might give you more traction. from the current editors and maintainers of the repo as I have been away from this standard for quite some time. To your original question, I think the PR description should have been more clear in the hindsight. I updated a bit for posterity. I totally agree that these sort of changes makes it a bit harder (but not impossible) for developers to setup localhost testing. The goal of these `https` restricted APIs is not to protect the user from the website owner. That scenario is indeed remedied by permission controlled APIs as you suggested at the cost of users needing to take an explicit action and there are quite a lot of them as well and they are used for generally more sensitive stuff. The goal here was to protect against man in the middle attacks and to disallow a script that doesn't belong to the host a user is visiting to get this information like one that can get injected into the `http` traffic. Note that even permission based APIs if enabled on a non-TLS domain run the risk of getting abused by mitm attackers. I don't have a list of all of those permissions and whether they are even allowed for non-TLS domains but that is beyond the scope of your question anyways. Either way, this was just a bit of background on this change (and potentially similar changes). Again feel free to file new issues and provide your input to the current spec editors and hopefully this along with other standards improve overtime. -- GitHub Notification of comment by NavidZ Please view or discuss this issue at https://github.com/w3c/pointerevents/pull/318#issuecomment-2996630762 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 23 June 2025 14:03:26 UTC