- From: Adam Langley <agl@google.com>
- Date: Thu, 21 Aug 2014 16:20:52 -0700
- To: "Eduardo' Vela" <evn@google.com>
- Cc: Chris Palmer <palmer@google.com>, Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 21, 2014 at 3:29 PM, Eduardo' Vela" <Nava> <evn@google.com> wrote: > I do not get why Geolocation [...] need to be SSL only. Let's just take this one for a moment. We're giving the web platform a fairly significant power here and it's pretty reasonable to want to take the sharp edge off it. When we ask the user whether they want to share their location with example.com, it's not reasonable to turn around later and say "oh, didn't you notice the lack of https? It's thus completely your fault that you inadvertently shared your location with example.com and also your ISP, government, etc.". We don't want to build a world where that sort of information is commonly sent in the clear But the aim is not to make experimentation hard either. It really shouldn't be, it's just that setting up a local CA and the DNS for experimentation is harder than it should be. If loopback adaptors weren't configured by default then HTTP would be a pain to experiment with also. If I had lots of free time, I'd submit patches to distros to make it easier. But that's a much better direction than a clear text world. Cheers AGL
Received on Thursday, 21 August 2014 23:21:39 UTC