Re: [webvr] Chrome WebVR avaliable only on secure origins

On Wed, Jul 13, 2016 at 6:29 AM, Brandon Jones <bajones@google.com> wrote:

> Following conversations with Chrome's security teams, we are now planning
> on making WebVR only available to secure origins when it officially
> launches.
>
I don't agree with that.


> This is consistent with our current policy for powerful new features
> <https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>
> ,
>
It's a bad policy.


> and we definitely consider WebVR to be a powerful feature!
>
That's the only test you do to decide if you carot&stick people into HTTPS?
What a high bar to pass...


> We are, in effect, giving sites the ability to take over not just your
> cursor
>
Gaze isn't your cursor. And it's not "taking it over". If you don't react
to gaze, you make users puke, there's no choice on following gaze if you're
writing VR. What a nonesense.


> or your screen
>
You're not giving people the control to take over somebodies screen, unless
you consider "writing any webpage" the same. Why don't you make "any
wepage" HTTPS only? Hm funny that, ain't it?


> but completely override one of your senses.
>
You're not overriding anybodies senses. It's a HMD, people can take it off.
Stop spewing nonesense.


> It's prudent for us to ensure the digital reality we deliver
>
You don't deliver anything. Website authors deliver content, you're just
transmitting it. How authors transmit is up to them, not to you.


> to users is authenticated,
>
TLS does nothing whatsoever for authentication in any way.


> integrity-checked, and confidential.
>
Those largely don't matter in any way specific to WebVR, in fact, they
matter even less for WebVR than for general web content. So that's just
another item of vapid nonesense.


> We realize that some developers have strong opinions on this subject.
>
You betcha.


> We welcome feedback, *especially *if this policy makes your planned use
> case infeasible!
>
TLS makes all kinds of things infeasible. But among other things, it makes
it more difficult to compete with google. Which is fine, unless you where
the one forcing people into TLS. Ah but of course you are the one forcing
people into TLS. OOOOOOPS. Anti-competitive anybody? So when's letsencrypt
starting to hand out the same kind of certificate in ulimited numbers that
google uses for its own sites? Never? That's convenient for google now
isn't it?


>  Additionally, efforts like Lets Encrypt are in full swing and make it
> easier than ever to make your sites secure.
>
Centralizing everybodies certificates with a single CA (they do get hacked
occasionally you know?) isn't more secure. It's a security nightmare, and
the source of DOS bombs (cause let's face it, if google has to revoke the
letsencrypt master key from the certificate chain due to a hack, millions
of peoples websites go "offline", i.e. can't use those features anymore).


> This change will not appear in my experimental binaries for a little
> while, but we wanted to make sure the community was aware of the change
> well in advance so that everyone has time to make the appropriate changes
> and provide us with any feedback you might have.
>
Feedback provided.

Received on Wednesday, 13 July 2016 09:27:56 UTC