Re: Requiring Authenticated Origins for Geolocation API's: Status from Joel Weinberger on 2015-02-27 (public-webappsec@w3.org from February 2015)

From: Joel Weinberger <jww@chromium.org>
Date: Fri, 27 Feb 2015 06:52:43 +0000
To: "Mandyam, Giridhar" <mandyam@quicinc.com>, public-geolocation <public-geolocation@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, "public-web-mobile@w3.org" <public-web-mobile@w3.org>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <CAHQV2Kmozi5Csc5QKk_M93FVKGHdd7DhiMKCGD9s9vqC7uL5xQ@mail.gmail.com>

Great timing. We (Chrome) just announced an abstract plan to deprecate
geolocation over insecure channels (along with several other features:
device motion, EME, fullscreen, and getUserMedia). You can read the post as
made to public-webappsec or at
https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/2LXKVWYkOusSo
.

While we do not have an exact plan for deprecation, we do plan to implement
one and support this idea.
--Joel

On Wed, Feb 25, 2015 at 3:54 PM Mandyam, Giridhar <mandyam@quicinc.com>
wrote:

>  As you may recall if you have been reading this list, there was an open
> call for comments on requiring authenticated origins for the Geoloc API.
> There was one detailed response to this CFC from Martin Thomson of Mozilla
> (see
> http://lists.w3.org/Archives/Public/public-geolocation/2014Nov/0008.html),
> and some discussion after that.
>
>
>
> Since that time, there has been related work coming out of WebAppSec that
> affects this area:
>
>
>
> a)      The Mixed Content document (
> http://w3c.github.io/webappsec/specs/mixedcontent/) has continued to
> evolve.
>
> b)      The Privileged Contexts (“Powerful Features”) document (
> http://w3c.github.io/webappsec/specs/powerfulfeatures/) has taken shape
> as well, with a section on legacy features using Geoloc. as an example:
> see http://w3c.github.io/webappsec/specs/powerfulfeatures/#legacy.  Note
> that there are specific guidelines for sunsetting support for insecure
> origins in this section.
>
>
>
> While useful, it is hard to determine whether these documents
> (particularly handling of Legacy Features as described in the Privileged
> Contexts doc) represent strategies that user agent vendors are willing to
> implement specifically for Geolocation.  It is also unclear whether
> developers who are using the Geolocation API will be able to adapt to
> sunsetting of support for insecure origins.  The feedback received so far
> on the CFC has not represented enough of the affected parties. Based on
> this, I would like to continue the call for comments on this list until
> April 1.
>
>
>
> I have CC’ed the WebAppSec group and WebMob group, as there has been
> similar discussion in both groups.  I’ve also CC’ed the TAG.
>
>
>
> -Giri Mandyam, W3C Geolocation Working Group Chair
>
>
>
> *From:* Mandyam, Giridhar [mailto:mandyam@quicinc.com]
> *Sent:* Wednesday, November 05, 2014 7:24 AM
> *To:* public-geolocation
> *Subject:* Requiring Authenticated Origins for Geolocation API's: Open
> Call for Comments (deadline - February 1, 2015)
>
>
>
> As was discussed at TPAC 2014, the topic of requiring authenticated
> origins for geolocation is now being taken up in the form of an open call
> for comments on the public-geo mailing list.  An overview of the issue was
> presented at last week’s face-to-face meeting:
> https://www.w3.org/2008/geolocation/wiki/images/1/12/Geolocation_-_Trusted_Origin.pdf.
> The definition of “authenticated origin” may be found at
> http://w3c.github.io/webappsec/specs/mixedcontent/.  This requirement
> would apply to all specifications developed by the Geolocation Working
> Group.
>
>
>
> As decided at that meeting, before acting upon this issue it is important
> to gather feedback from affected parties.  This includes web service
> providers, developers, and browser (web runtime engine) vendors.
>
>
>
> The following is requested from respondents:
>
>
>
> a)      If you are against requiring authenticated origins for
> geolocation API’s, please state so and state your reasons for objection.
>
> b)      If you are in favor of requiring authenticated origins for
> geolocation API’s, please state so and your reasons for support.  In
> addition, please provide a proposal for how support for unauthenticated
> origins could be phased out (e.g. a schedule for developer evangelization,
> warning dialog boxes in browsers, hard cutoff for ending support in
> browsers).
>
>
>
> After responses are received, I will do my best to compile results and
> provide a representative synopsis of the feedback.  I hope this call for
> comments is clear as written above, but if not please let me know.
>
>
>
> -Giri Mandyam, Geolocation Working Group Chair
>
>
>
> P
>
>
>

Received on Friday, 27 February 2015 06:53:12 UTC