- From: Mark Watson <watsonm@netflix.com>
- Date: Thu, 21 Aug 2014 16:55:43 -0700
- To: Adam Langley <agl@google.com>
- Cc: "Eduardo' Vela" <evn@google.com>, Chris Palmer <palmer@google.com>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Sent from my iPhone > On Aug 21, 2014, at 4:44 PM, Adam Langley <agl@google.com> wrote: > >> On Thu, Aug 21, 2014 at 4:37 PM, Mark Watson <watsonm@netflix.com> wrote: >> Wouldn't it be more accurate to say to the user, at this point, "This >> website wishes to access your location. However, we can't reliably >> determine the identity of the website and it may send your location >> information in a way that is not protected against eavesdropping. Do >> you want to proceed?" > > No, because bombarding the user with complex warnings all day, taxing > their executive capacity and then blaming them when something bad > happens is a poor way to build products. We do enough of it already, > we don't want to make it worse for the sake of a few dollars a year. So, you're saying that the above text is less accurate than saying 'example.com wants to see your location' ? I actually wasn't advocating that geolocation be available to insecure origins, just pointing out that if it was / where it is, there is no need to mis-lead users that you know who is asking for it. Anyway, I totally agree a few dollars a year is well worth it to avoid a user dialog like this, if that was the choice. What, though, if the alternative was not just a few dollars but millions ? What if the alternative is using a plugin ? ...Mark > > > Cheers > > AGL
Received on Thursday, 21 August 2014 23:56:11 UTC