- From: Sean McBeth <sean.mcbeth@primrosevr.com>
- Date: Wed, 13 Jul 2016 08:10:23 -0400
- To: Jeff Sonstein <jsonstein@gmail.com>
- Cc: Brandon Jones <bajones@google.com>, public-webvr@w3.org
- Message-ID: <CAFkgwSDpWMtskXH0Ke0obs3eucKv65g3ZBP7h8R2vSJRn-5_=Q@mail.gmail.com>
Used to be a day all anyone needed to publish on the web was the plain text editor that came with the OS on the computer at their local library and a free host like Geocities. Yes, some people abused those free hosts, but I don't think eliminating them is going to have a significant impact on such motivated individuals. It's most likely just going to squeeze out people who otherwise won't be able to afford to publish online. Indeed, that is exactly how I started. I can't say for certain that free library computer broke a chain of perpetual poverty in my family, but it certainly didn't hurt. It was certainly the beginning point in a 25 year-long journey that has me now running my own VR business. I am not able to support anything that could harm that same opportunity for anyone else. On Jul 13, 2016 8:06 AM, "Jeff Sonstein" <jsonstein@gmail.com> wrote: > IMHO same-origin no problem > but HTTPS-only is def problematic > given the realities of the Web > > jeffs > -- > Jeff Sonstein > Assoc. Prof. (ret'd) > College of Computing, R.I.T. > > > On Jul 13, 2016, at 12:29 AM, Brandon Jones <bajones@google.com> wrote: > > Following conversations with Chrome's security teams, we are now planning > on making WebVR only available to secure origins when it officially > launches. This is consistent with our current policy for powerful new > features > <https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>, > and we definitely consider WebVR to be a powerful feature! We are, in > effect, giving sites the ability to take over not just your cursor or your > screen but completely override one of your senses. It's prudent for us to > ensure the digital reality we deliver to users is authenticated, > integrity-checked, and confidential. > > We realize that some developers have strong opinions on this subject. We > welcome feedback, *especially *if this policy makes your planned use case > infeasible! But we also feel that the development community around a new > feature like this is actually in the best position to gracefully handle > this requirement. WebVR projects are less likely to have large amounts of > legacy code that needs to be updated to support HTTPS. Additionally, > efforts like Lets Encrypt are in full swing and make it easier than ever to > make your sites secure. > > This change will not appear in my experimental binaries for a little > while, but we wanted to make sure the community was aware of the change > well in advance so that everyone has time to make the appropriate changes > and provide us with any feedback you might have. > > Thanks! > --Brandon Jones > > (PS: If you're reading this on web-vr-discuss@mozilla.org, I encourage > you to join the public-webvr@w3.org mailing list! That's to official > public mailing list for our community group > <https://www.w3.org/community/webvr/> and the channel that will be used > for communication like this in the future.) > > >
Received on Wednesday, 13 July 2016 12:10:52 UTC