- From: Sean McBeth <sean.mcbeth@primrosevr.com>
- Date: Wed, 13 Jul 2016 07:23:52 -0400
- To: Florian Bösch <pyalot@gmail.com>
- Cc: Martin Splitt <mr.avgp@gmail.com>, Brandon Jones <bajones@google.com>, Chris Van Wiemeersch <cvan@mozilla.com>, public-webvr@w3.org
- Message-ID: <CAFkgwSBpzhXBcLpC8uDTDdbtkSGN7FWox1o==9_v7++dG7+-Xg@mail.gmail.com>
On LetsEncrypt: the Windows/IIS story is effectively non-existent. I don't think it is very good to be suggesting a "solution" that effectively dictates a platform. I know Windows isn't popular, and in a perfect world I'd certainly like to be off of it, but Oculus and Valve have restricted the HMDs, under some post-hoc rationalization that Apple and X.org have hobbled the OSes. For once, it's *not* Microsoft's fault I'm stuck on Windows. On Jul 13, 2016 7:07 AM, "Florian Bösch" <pyalot@gmail.com> wrote: > If TLS would fulfill the following criteria I would not object in any way > to its promotion of use for everything. > > 1. Free for any scope and use > 2. Censorship resistant > 3. Surveillance resistant > 4. Fast (as in not significantly slower for all use-cases) > 5. Decentralized > 6. Easy to deploy > 7. Not jurisdiction bound (no US-based root CA, no US-based "free" > providers) > 8. Included with every domain (including every subdomain, or any > domain (wildcard)) > 9. Implementations where straightforward, bug-resistant, minimal and > easy to integrate, available in a variety of languages and environments > 10. The protocol wasn't a completely lost cause of legacy gunk > 11. It was so well engineered that even homegrown implementations of > it would be easy to get right > 12. It would not impose various restrictions on the use of networks, > that present a restriction of how networks used to be used > > TLS is so far away from all of this, that I find it fundamentally > objectionable to promote its use universally. If you want to use TLS as it > exists, fine. Enforcing it on everybody: principled absolute nono. > > > On Wed, Jul 13, 2016 at 12:46 PM, Chris Van Wiemeersch <cvan@mozilla.com> > wrote: > >> Not to dispute the very legitimate points addressed in the past few >> threads, just FYI it's possible to start Chrome and Firefox such that a >> local web server is not needed (for three.js/A-Frame/WebVR development, for >> example): >> https://github.com/mrdoob/three.js/wiki/How-to-run-things-locally#content-loaded-from-external-files >> >> I try to link to that page in project READMEs and documentation. Just >> trying to spread the knowledge, but obviously I'm not dismissing the other >> points. >> >> The same-origin policy is a hassle, yes. It's also the sandbox that >> enables folks to load a web page and not be afraid of getting a virus. >> FWIW, IME, most (non-super-technical) folks I've encountered understand >> this. And they're the same folks who get scared when they see contextless >> permission prompts and blindly accept them because… all my friends use >> Whatsapp or Snapchat. Again, not an excuse. It's just the landscape today. >> >> For folks interested, Anne van Kesteren (standards guru at Mozilla) has >> written quite a few good pieces on his blog about these very topics. Though >> he's advocated for the same-origin policy (for the aforementioned reasons), >> he is also critical of its hinderance to web development (and consumption >> of web pages): https://annevankesteren.nl/2016/07/web-computing >> >> >> On Wed, Jul 13, 2016 at 3:36 AM, Sean McBeth <sean.mcbeth@primrosevr.com> >> wrote: >> >>> It comes to my attention that the issue with XmlHTTPRequest is not to do >>> with secure origins, but same-origin policy. So I also have to keep track >>> of multiple ways in which my page may not work, for no other reason than >>> "browser refuses to do what is syntactically correct". It's a serious >>> barrier to adoption for new developers. >>> On Jul 13, 2016 6:29 AM, "Sean McBeth" <sean.mcbeth@primrosevr.com> >>> wrote: >>> >>>> >>>> On Jul 13, 2016 6:04 AM, "Martin Splitt" <mr.avgp@gmail.com> wrote: >>>> >>>> > >> We welcome feedback, especially if this policy makes your planned >>>> use case infeasible! >>>> > > >>>> > > TLS makes all kinds of things infeasible. >>>> > >>>> > Can you give a example? >>>> >>>> For one thing, your own file system is not considered a secure origin. >>>> I've ran into lots of people trying to get into WebVR that just don't >>>> understand what that means. They see a page, they see they can link to >>>> images on that page, they can double click on that file and see the >>>> results. It never occurs to then that they need to run a local web server. >>>> If they don't already know what that means, it's nearly impossible to >>>> explain the indirection. Why do they need a web server when the file is >>>> right there? >>>> >>>> I know several more people who have no idea how to setup a self-signed >>>> certificate on their machine to be able to test features on their own >>>> networks. OpenSSL is not that easy to install on Windows. A similar fiat >>>> decision was made for WebRTC. I eventually just copied the certs off of my >>>> production site and live with the cert warnings. S terrible solution to a >>>> stupid problem. >>>> >>>> Frankly, I've been a web dev for 20 years and it feels rather >>>> ridiculous that web dev is harder, more cumbersome *today*. I don't even >>>> get why disabling XmlHTTPRequest was necessary, rather than restricting it >>>> to the parent directory of the page. >>>> >>>> I agree with Florian. It's on Google to provide tools, not dictate how >>>> they are used. >>>> >>> >> >
Received on Wednesday, 13 July 2016 11:24:31 UTC