Re: Proposal: Prefer secure origins for powerful new web platform features from Chris Palmer on 2014-08-21 (public-webappsec@w3.org from August 2014)

From: Chris Palmer <palmer@google.com>
Date: Thu, 21 Aug 2014 13:19:16 -0700
To: Mark Watson <watsonm@netflix.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOuvq21Qg3OPeqSK5H3=mDaqMgjtkgbe8sY3_qbdJGuv5u1xeQ@mail.gmail.com>

On Tue, Aug 19, 2014 at 5:22 PM, Mark Watson <watsonm@netflix.com> wrote:

> I think we should be highly selective about applying any blanket prohibition
> on access to features from http sites.

Indeed, we are. So far the only new features that require secure origins are:

* Service Workers
* Geofencing (relies on Service Workers)
* WebCrypto

The great majority of new web platform features, and the large body of
grandfathered-in features, are available to secure and non-secure
origins alike.

> It is of course quite appropriate for UAs to require user consent, provide
> warnings etc., including differentiating between use of a feature by a
> secure origin and a non-secure one, as they see fit. However, the danger of
> prohibiting things is that web developers may feel a new feature is being
> "held hostage" in support of an unrelated, albeit noble, goal of encouraging
> https use.

There is that risk, I agree. But I think it's fair to ask developers
who want to run long-running threads in the background on peoples'
phone, which track peoples' locations, why they think that power
should be granted to unauthenticated, MITM-mangled code. The needs of
users come first:

http://www.w3.org/TR/html-design-principles/#priority-of-constituencies

It is most often the case that the needs of these constituencies
align, rather than conflict. But when they do conflict, we must
prioritize the bare minimum level of safety for users over the
temporary convenience to developers of not having to turn on an option
on Nginx and pay $15.

Put it another way: Should we also want Android, iOS, Mac OS X, and
Windows applications to not be cryptographically signed? No.
Well-behaved apps on all platforms, developed by professionals who get
paid, have signed code. HTTPS is code-signing for the web. It is not
even the most expensive or difficult code-signing system.

With incredible power comes a tiny amount of responsibility.

Received on Thursday, 21 August 2014 20:19:42 UTC