- From: Joel Weinberger <jww@chromium.org>
- Date: Fri, 27 Feb 2015 06:52:43 +0000
- To: "Mandyam, Giridhar" <mandyam@quicinc.com>, public-geolocation <public-geolocation@w3.org>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-web-mobile@w3.org" <public-web-mobile@w3.org>, "www-tag@w3.org" <www-tag@w3.org>
- Message-ID: <CAHQV2Kmozi5Csc5QKk_M93FVKGHdd7DhiMKCGD9s9vqC7uL5xQ@mail.gmail.com>
Great timing. We (Chrome) just announced an abstract plan to deprecate geolocation over insecure channels (along with several other features: device motion, EME, fullscreen, and getUserMedia). You can read the post as made to public-webappsec or at https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2LXKVWYkOusSo . While we do not have an exact plan for deprecation, we do plan to implement one and support this idea. --Joel On Wed, Feb 25, 2015 at 3:54 PM Mandyam, Giridhar <mandyam@quicinc.com> wrote: > As you may recall if you have been reading this list, there was an open > call for comments on requiring authenticated origins for the Geoloc API. > There was one detailed response to this CFC from Martin Thomson of Mozilla > (see > http://lists.w3.org/Archives/Public/public-geolocation/2014Nov/0008.html), > and some discussion after that. > > > > Since that time, there has been related work coming out of WebAppSec that > affects this area: > > > > a) The Mixed Content document ( > http://w3c.github.io/webappsec/specs/mixedcontent/) has continued to > evolve. > > b) The Privileged Contexts (“Powerful Features”) document ( > http://w3c.github.io/webappsec/specs/powerfulfeatures/) has taken shape > as well, with a section on legacy features using Geoloc. as an example: > see http://w3c.github.io/webappsec/specs/powerfulfeatures/#legacy. Note > that there are specific guidelines for sunsetting support for insecure > origins in this section. > > > > While useful, it is hard to determine whether these documents > (particularly handling of Legacy Features as described in the Privileged > Contexts doc) represent strategies that user agent vendors are willing to > implement specifically for Geolocation. It is also unclear whether > developers who are using the Geolocation API will be able to adapt to > sunsetting of support for insecure origins. The feedback received so far > on the CFC has not represented enough of the affected parties. Based on > this, I would like to continue the call for comments on this list until > April 1. > > > > I have CC’ed the WebAppSec group and WebMob group, as there has been > similar discussion in both groups. I’ve also CC’ed the TAG. > > > > -Giri Mandyam, W3C Geolocation Working Group Chair > > > > *From:* Mandyam, Giridhar [mailto:mandyam@quicinc.com] > *Sent:* Wednesday, November 05, 2014 7:24 AM > *To:* public-geolocation > *Subject:* Requiring Authenticated Origins for Geolocation API's: Open > Call for Comments (deadline - February 1, 2015) > > > > As was discussed at TPAC 2014, the topic of requiring authenticated > origins for geolocation is now being taken up in the form of an open call > for comments on the public-geo mailing list. An overview of the issue was > presented at last week’s face-to-face meeting: > https://www.w3.org/2008/geolocation/wiki/images/1/12/Geolocation_-_Trusted_Origin.pdf. > The definition of “authenticated origin” may be found at > http://w3c.github.io/webappsec/specs/mixedcontent/. This requirement > would apply to all specifications developed by the Geolocation Working > Group. > > > > As decided at that meeting, before acting upon this issue it is important > to gather feedback from affected parties. This includes web service > providers, developers, and browser (web runtime engine) vendors. > > > > The following is requested from respondents: > > > > a) If you are against requiring authenticated origins for > geolocation API’s, please state so and state your reasons for objection. > > b) If you are in favor of requiring authenticated origins for > geolocation API’s, please state so and your reasons for support. In > addition, please provide a proposal for how support for unauthenticated > origins could be phased out (e.g. a schedule for developer evangelization, > warning dialog boxes in browsers, hard cutoff for ending support in > browsers). > > > > After responses are received, I will do my best to compile results and > provide a representative synopsis of the feedback. I hope this call for > comments is clear as written above, but if not please let me know. > > > > -Giri Mandyam, Geolocation Working Group Chair > > > > P > > >
Received on Friday, 27 February 2015 06:53:12 UTC