Chrome WebVR avaliable only on secure origins

Following conversations with Chrome's security teams, we are now planning
on making WebVR only available to secure origins when it officially
launches. This is consistent with our current policy for powerful new
features
<https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>,
and we definitely consider WebVR to be a powerful feature! We are, in
effect, giving sites the ability to take over not just your cursor or your
screen but completely override one of your senses. It's prudent for us to
ensure the digital reality we deliver to users is authenticated,
integrity-checked, and confidential.

We realize that some developers have strong opinions on this subject. We
welcome feedback, *especially *if this policy makes your planned use case
infeasible! But we also feel that the development community around a new
feature like this is actually in the best position to gracefully handle
this requirement. WebVR projects are less likely to have large amounts of
legacy code that needs to be updated to support HTTPS. Additionally,
efforts like Lets Encrypt are in full swing and make it easier than ever to
make your sites secure.

This change will not appear in my experimental binaries for a little while,
but we wanted to make sure the community was aware of the change well in
advance so that everyone has time to make the appropriate changes and
provide us with any feedback you might have.

Thanks!
--Brandon Jones

(PS: If you're reading this on web-vr-discuss@mozilla.org, I encourage you
to join the public-webvr@w3.org mailing list! That's to official public
mailing list for our community group <https://www.w3.org/community/webvr/> and
the channel that will be used for communication like this in the future.)

Received on Wednesday, 13 July 2016 04:30:41 UTC