Re: Proposal: Prefer secure origins for powerful new web platform features

> I do not get why Geolocation [...] need to be SSL only.

Make it SSL by default and allow the developer to go through a few
hoops to turn it off. Then ensure browsers provide warnings to users
when geoLoc data is sent over HTTP...

This seems to be a good balance between privacy (browser warnings),
developer needs (HTTP support), and security (default to SSL).

Jim Manico
(808) 652-3805

> On Aug 21, 2014, at 6:21 PM, Adam Langley <> wrote:
>> On Thu, Aug 21, 2014 at 3:29 PM, Eduardo' Vela" <Nava> <> wrote:
>> I do not get why Geolocation [...] need to be SSL only.
> Let's just take this one for a moment. We're giving the web platform a
> fairly significant power here and it's pretty reasonable to want to
> take the sharp edge off it.
> When we ask the user whether they want to share their location with
>, it's not reasonable to turn around later and say "oh,
> didn't you notice the lack of https? It's thus completely your fault
> that you inadvertently shared your location with and also
> your ISP, government, etc.". We don't want to build a world where that
> sort of information is commonly sent in the clear
> But the aim is not to make experimentation hard either. It really
> shouldn't be, it's just that setting up a local CA and the DNS for
> experimentation is harder than it should be. If loopback adaptors
> weren't configured by default then HTTP would be a pain to experiment
> with also. If I had lots of free time, I'd submit patches to distros
> to make it easier. But that's a much better direction than a clear
> text world.
> Cheers

Received on Friday, 22 August 2014 02:10:29 UTC