- From: Mark Watson <watsonm@netflix.com>
- Date: Thu, 21 Aug 2014 13:27:33 -0700
- To: Chris Palmer <palmer@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAEnTvdAu5zL95poBDSd=DUCwwEvDB19=PjZ+XV-SAW6DsU6w7Q@mail.gmail.com>
On Thu, Aug 21, 2014 at 1:19 PM, Chris Palmer <palmer@google.com> wrote: > On Tue, Aug 19, 2014 at 5:22 PM, Mark Watson <watsonm@netflix.com> wrote: > > > I think we should be highly selective about applying any blanket > prohibition > > on access to features from http sites. > > Indeed, we are. So far the only new features that require secure origins > are: > > * Service Workers > * Geofencing (relies on Service Workers) > * WebCrypto > > The great majority of new web platform features, and the large body of > grandfathered-in features, are available to secure and non-secure > origins alike. > I'd take (took) issue with WebCrypto. I know it requires a secure origin in Chrome but this is not required by the specification. > > > It is of course quite appropriate for UAs to require user consent, > provide > > warnings etc., including differentiating between use of a feature by a > > secure origin and a non-secure one, as they see fit. However, the danger > of > > prohibiting things is that web developers may feel a new feature is being > > "held hostage" in support of an unrelated, albeit noble, goal of > encouraging > > https use. > > There is that risk, I agree. But I think it's fair to ask developers > who want to run long-running threads in the background on peoples' > phone, which track peoples' locations, why they think that power > should be granted to unauthenticated, MITM-mangled code. The needs of > users come first: > > http://www.w3.org/TR/html-design-principles/#priority-of-constituencies In some case the alternative to the new feature might be use of plugins, which would be worse for users. > > > It is most often the case that the needs of these constituencies > align, rather than conflict. But when they do conflict, we must > prioritize the bare minimum level of safety for users over the > temporary convenience to developers of not having to turn on an option > on Nginx and pay $15. > Switching to HTTPS it not necessarily that cheap or inconsequential to user experience. If it were, of course I'd agree. Sounds like we don't have a clear understanding of what developers are being asked to do. > > Put it another way: Should we also want Android, iOS, Mac OS X, and > Windows applications to not be cryptographically signed? No. > Well-behaved apps on all platforms, developed by professionals who get > paid, have signed code. HTTPS is code-signing for the web. It is not > even the most expensive or difficult code-signing system. > > With incredible power comes a tiny amount of responsibility. > Indeed. Well said. Applies all around. ...Mark
Received on Thursday, 21 August 2014 20:28:05 UTC