W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: "Requirements for Powerful Features" strawman.

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 25 Nov 2014 10:50:34 -0800
Message-ID: <CABkgnnULyw8eMPdF7NBnHev3c9v+6HqWa+WhRn9rs52TeuW4zw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Mark Watson <watsonm@netflix.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@fb.com>
On 22 November 2014 at 06:03, Mike West <mkwst@google.com> wrote:
> Geolocation isn't something we can just turn off for insecure contexts, but
> it's certainly something where we can experiment with degrading the insecure
> experience (by shortening permission lifetimes, for instance

I should think that removing any sort of persistent permission would
be an obvious immediate step, rather than reducing by steps.  Any site
that has persistent permission over an unauthenticated origin is going
to expose users pretty badly.

> or by coarsening the location

...or by randomly generating failures with increasing frequency.  Both
of which do more to annoy users than motivate a change.

I agree that it is worth finding a way to phase this out, but
announcing a date is probably the best approach.  Announce a date we
can all agree to and turn the feature off.
Received on Tuesday, 25 November 2014 18:51:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC