- From: Florian Bösch <pyalot@gmail.com>
- Date: Wed, 13 Jul 2016 11:27:15 +0200
- To: Brandon Jones <bajones@google.com>
- Cc: public-webvr@w3.org
- Message-ID: <CAOK8ODjec1LQ_BAJZ=xys35OUJH0LHN-jKda60186G6aaq60yA@mail.gmail.com>
On Wed, Jul 13, 2016 at 6:29 AM, Brandon Jones <bajones@google.com> wrote: > Following conversations with Chrome's security teams, we are now planning > on making WebVR only available to secure origins when it officially > launches. > I don't agree with that. > This is consistent with our current policy for powerful new features > <https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features> > , > It's a bad policy. > and we definitely consider WebVR to be a powerful feature! > That's the only test you do to decide if you carot&stick people into HTTPS? What a high bar to pass... > We are, in effect, giving sites the ability to take over not just your > cursor > Gaze isn't your cursor. And it's not "taking it over". If you don't react to gaze, you make users puke, there's no choice on following gaze if you're writing VR. What a nonesense. > or your screen > You're not giving people the control to take over somebodies screen, unless you consider "writing any webpage" the same. Why don't you make "any wepage" HTTPS only? Hm funny that, ain't it? > but completely override one of your senses. > You're not overriding anybodies senses. It's a HMD, people can take it off. Stop spewing nonesense. > It's prudent for us to ensure the digital reality we deliver > You don't deliver anything. Website authors deliver content, you're just transmitting it. How authors transmit is up to them, not to you. > to users is authenticated, > TLS does nothing whatsoever for authentication in any way. > integrity-checked, and confidential. > Those largely don't matter in any way specific to WebVR, in fact, they matter even less for WebVR than for general web content. So that's just another item of vapid nonesense. > We realize that some developers have strong opinions on this subject. > You betcha. > We welcome feedback, *especially *if this policy makes your planned use > case infeasible! > TLS makes all kinds of things infeasible. But among other things, it makes it more difficult to compete with google. Which is fine, unless you where the one forcing people into TLS. Ah but of course you are the one forcing people into TLS. OOOOOOPS. Anti-competitive anybody? So when's letsencrypt starting to hand out the same kind of certificate in ulimited numbers that google uses for its own sites? Never? That's convenient for google now isn't it? > Additionally, efforts like Lets Encrypt are in full swing and make it > easier than ever to make your sites secure. > Centralizing everybodies certificates with a single CA (they do get hacked occasionally you know?) isn't more secure. It's a security nightmare, and the source of DOS bombs (cause let's face it, if google has to revoke the letsencrypt master key from the certificate chain due to a hack, millions of peoples websites go "offline", i.e. can't use those features anymore). > This change will not appear in my experimental binaries for a little > while, but we wanted to make sure the community was aware of the change > well in advance so that everyone has time to make the appropriate changes > and provide us with any feedback you might have. > Feedback provided.
Received on Wednesday, 13 July 2016 09:27:56 UTC