Re: [webvr] Chrome WebVR avaliable only on secure origins

Hey Florian, thanks for the feedback!

I have some questions about some of the points you made, let's try to focus
on the issue of TLS-only WebVR and not divert into the general topic of
TLS-everywhere.

Oh and thank Brandon for involving the community in this question and for
pushing the standard forward by providing us with builds :) Much
appreciated!

So, let's see..

Am 13.07.2016 11:28 vorm. schrieb "Florian Bösch" <pyalot@gmail.com>:
>
>> This is consistent with our current policy for powerful new features,
>
> It's a bad policy.

Mind elaborating on this? The policy is not a surprise seeing browser
vendors concerned with transport encryption for privacy and integrity of
content and data. I don't find it "bad" to safeguard users from MitM etc.
for many features such as geolocation or payments. For WebVR this is
debatable, I guess, but not a bad policy in general. What makes it bad?

>>
>> We are, in effect, giving sites the ability to take over not just your
cursor
>
> Gaze isn't your cursor. And it's not "taking it over". If you don't react
to gaze, you make users puke, there's no choice on following gaze if you're
writing VR.
>
>>
>> or your screen
>
> You're not giving people the control to take over somebodies screen,
unless you consider "writing any webpage" the same. Why don't you make "any
wepage" HTTPS only? Hm funny that, ain't it?

It's not your cursor but it makes you more susceptible to bad experiences
and tearing down the headset may be a little late to avoid a very bad
experience.

Also, what's so bad about having every website on HTTPS, besides the
nuisance that is the CA business. Let's Encrypt tries to remediate that
(and hopefully more will follow).
>>
>> but completely override one of your senses.
>
> You're not overriding anybodies senses. It's a HMD, people can take it
off.
>

That's not sufficient when something bad has already happened. Think of
jumpscares,for instance.

>>
>> It's prudent for us to ensure the digital reality we deliver
>
> You don't deliver anything. Website authors deliver content, you're just
transmitting it. How authors transmit is up to them, not to you.
>

Browser vendors provide us with the ability to deliver content using VR
hardware , I dont see your point here.

>>
>> to users is authenticated,
>
> TLS does nothing whatsoever for authentication in any way.
>

It authenticates the content provider to the user.

>>
>> integrity-checked, and confidential.
>
> Those largely don't matter in any way specific to WebVR, in fact, they
matter even less for WebVR than for general web content.
>

Here I agree with you, I would like to see what information we exactly try
to protect from prying eyes. Integrity, though, I accept as a valuable
asset.

>> We welcome feedback, especially if this policy makes your planned use
case infeasible!
>
> TLS makes all kinds of things infeasible.

Can you give a example?