- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 12 Jun 2015 10:49:17 -0700
- To: Mike West <mkwst@google.com>
- Cc: Richard Barnes <rbarnes@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Tanvi Vyas <tanvi@mozilla.com>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>, Jonas Sicking <jonas@sicking.cc>
On 12 June 2015 at 09:41, Mike West <mkwst@google.com> wrote: > The spec does currently require HTTPS. I'm not sure we could reasonably > relax that, for exactly the reasons you point to. It sounds like exactly the > kind of API for which we'd want to require an authenticated and encrypted > connection. I actually think that having this on cleartext connections is a benefit. Unless there is persistent data that somehow prevents other persistence from happening. I'm not aware of any such feature. Elsewhere, Henri Sivonen suggested that we make cookies on cleartext origins less persistent by default. This is seems consistent with that philosophy.
Received on Friday, 12 June 2015 17:49:44 UTC