Re: [webvr] Chrome WebVR avaliable only on secure origins

If TLS would fulfill the following criteria I would not object in any way
to its promotion of use for everything.

   1. Free for any scope and use
   2. Censorship resistant
   3. Surveillance resistant
   4. Fast (as in not significantly slower for all use-cases)
   5. Decentralized
   6. Easy to deploy
   7. Not jurisdiction bound (no US-based root CA, no US-based "free"
   providers)
   8. Included with every domain (including every subdomain, or any domain
   (wildcard))
   9. Implementations where straightforward, bug-resistant, minimal and
   easy to integrate, available in a variety of languages and environments
   10. The protocol wasn't a completely lost cause of legacy gunk
   11. It was so well engineered that even homegrown implementations of it
   would be easy to get right
   12. It would not impose various restrictions on the use of networks,
   that present a restriction of how networks used to be used

TLS is so far away from all of this, that I find it fundamentally
objectionable to promote its use universally. If you want to use TLS as it
exists, fine. Enforcing it on everybody: principled absolute nono.


On Wed, Jul 13, 2016 at 12:46 PM, Chris Van Wiemeersch <cvan@mozilla.com>
wrote:

> Not to dispute the very legitimate points addressed in the past few
> threads, just FYI it's possible to start Chrome and Firefox such that a
> local web server is not needed (for three.js/A-Frame/WebVR development, for
> example):
> https://github.com/mrdoob/three.js/wiki/How-to-run-things-locally#content-loaded-from-external-files
>
> I try to link to that page in project READMEs and documentation. Just
> trying to spread the knowledge, but obviously I'm not dismissing the other
> points.
>
> The same-origin policy is a hassle, yes. It's also the sandbox that
> enables folks to load a web page and not be afraid of getting a virus.
> FWIW, IME, most (non-super-technical) folks I've encountered understand
> this. And they're the same folks who get scared when they see contextless
> permission prompts and blindly accept them because… all my friends use
> Whatsapp or Snapchat. Again, not an excuse. It's just the landscape today.
>
> For folks interested, Anne van Kesteren (standards guru at Mozilla) has
> written quite a few good pieces on his blog about these very topics. Though
> he's advocated for the same-origin policy (for the aforementioned reasons),
> he is also critical of its hinderance to web development (and consumption
> of web pages): https://annevankesteren.nl/2016/07/web-computing
>
>
> On Wed, Jul 13, 2016 at 3:36 AM, Sean McBeth <sean.mcbeth@primrosevr.com>
> wrote:
>
>> It comes to my attention that the issue with XmlHTTPRequest is not to do
>> with secure origins, but same-origin policy. So I also have to keep track
>> of multiple ways in which my page may not work, for no other reason than
>> "browser refuses to do what is syntactically correct". It's a serious
>> barrier to adoption for new developers.
>> On Jul 13, 2016 6:29 AM, "Sean McBeth" <sean.mcbeth@primrosevr.com>
>> wrote:
>>
>>>
>>> On Jul 13, 2016 6:04 AM, "Martin Splitt" <mr.avgp@gmail.com> wrote:
>>>
>>> > >> We welcome feedback, especially if this policy makes your planned
>>> use case infeasible!
>>> > >
>>> > > TLS makes all kinds of things infeasible.
>>> >
>>> > Can you give a example?
>>>
>>> For one thing, your own file system is not considered a secure origin.
>>> I've ran into lots of people trying to get into WebVR that just don't
>>> understand what that means. They see a page, they see they can link to
>>> images on that page, they can double click on that file and see the
>>> results. It never occurs to then that they need to run a local web server.
>>> If they don't already know what that means, it's nearly impossible to
>>> explain the indirection. Why do they need a web server when the file is
>>> right there?
>>>
>>> I know several more people who have no idea how to setup a self-signed
>>> certificate on their machine to be able to test features on their own
>>> networks. OpenSSL is not that easy to install on Windows. A similar fiat
>>> decision was made for WebRTC. I eventually just copied the certs off of my
>>> production site and live with the cert warnings. S terrible solution to a
>>> stupid problem.
>>>
>>> Frankly, I've been a web dev for 20 years and it feels rather ridiculous
>>> that web dev is harder, more cumbersome *today*. I don't even get why
>>> disabling XmlHTTPRequest was necessary, rather than restricting it to the
>>> parent directory of the page.
>>>
>>> I agree with Florian. It's on Google to provide tools, not dictate how
>>> they are used.
>>>
>>
>

Received on Wednesday, 13 July 2016 11:07:54 UTC