Re: [webvr] Chrome WebVR avaliable only on secure origins

I agree that requiring SSL will undemocratise WebVR because getting SSL can
be quite a challenge and incurs a cost. That's not the open web anymore.

I'm also worried about embedding, an important use case for Vizor.io is to
be able to embed your production into any web page.

Overall I think this change is too prohibitive and not necessary to begin
with - IMHO adequate security provisions like CORS are already in place.

Best regards,

Jaakko

On Wed, Jul 13, 2016 at 2:23 PM, Sean McBeth <sean.mcbeth@primrosevr.com>
wrote:

> On LetsEncrypt: the Windows/IIS story is effectively non-existent. I don't
> think it is very good to be suggesting a "solution" that effectively
> dictates a platform.
>
> I know Windows isn't popular, and in a perfect world I'd certainly like to
> be off of it, but Oculus and Valve have restricted the HMDs, under some
> post-hoc rationalization that Apple and X.org have hobbled the OSes. For
> once, it's *not* Microsoft's fault I'm stuck on Windows.
> On Jul 13, 2016 7:07 AM, "Florian Bösch" <pyalot@gmail.com> wrote:
>
>> If TLS would fulfill the following criteria I would not object in any way
>> to its promotion of use for everything.
>>
>>    1. Free for any scope and use
>>    2. Censorship resistant
>>    3. Surveillance resistant
>>    4. Fast (as in not significantly slower for all use-cases)
>>    5. Decentralized
>>    6. Easy to deploy
>>    7. Not jurisdiction bound (no US-based root CA, no US-based "free"
>>    providers)
>>    8. Included with every domain (including every subdomain, or any
>>    domain (wildcard))
>>    9. Implementations where straightforward, bug-resistant, minimal and
>>    easy to integrate, available in a variety of languages and environments
>>    10. The protocol wasn't a completely lost cause of legacy gunk
>>    11. It was so well engineered that even homegrown implementations of
>>    it would be easy to get right
>>    12. It would not impose various restrictions on the use of networks,
>>    that present a restriction of how networks used to be used
>>
>> TLS is so far away from all of this, that I find it fundamentally
>> objectionable to promote its use universally. If you want to use TLS as it
>> exists, fine. Enforcing it on everybody: principled absolute nono.
>>
>>
>> On Wed, Jul 13, 2016 at 12:46 PM, Chris Van Wiemeersch <cvan@mozilla.com>
>> wrote:
>>
>>> Not to dispute the very legitimate points addressed in the past few
>>> threads, just FYI it's possible to start Chrome and Firefox such that a
>>> local web server is not needed (for three.js/A-Frame/WebVR development, for
>>> example):
>>> https://github.com/mrdoob/three.js/wiki/How-to-run-things-locally#content-loaded-from-external-files
>>>
>>> I try to link to that page in project READMEs and documentation. Just
>>> trying to spread the knowledge, but obviously I'm not dismissing the other
>>> points.
>>>
>>> The same-origin policy is a hassle, yes. It's also the sandbox that
>>> enables folks to load a web page and not be afraid of getting a virus.
>>> FWIW, IME, most (non-super-technical) folks I've encountered understand
>>> this. And they're the same folks who get scared when they see contextless
>>> permission prompts and blindly accept them because… all my friends use
>>> Whatsapp or Snapchat. Again, not an excuse. It's just the landscape today.
>>>
>>> For folks interested, Anne van Kesteren (standards guru at Mozilla) has
>>> written quite a few good pieces on his blog about these very topics. Though
>>> he's advocated for the same-origin policy (for the aforementioned reasons),
>>> he is also critical of its hinderance to web development (and consumption
>>> of web pages): https://annevankesteren.nl/2016/07/web-computing
>>>
>>>
>>> On Wed, Jul 13, 2016 at 3:36 AM, Sean McBeth <sean.mcbeth@primrosevr.com
>>> > wrote:
>>>
>>>> It comes to my attention that the issue with XmlHTTPRequest is not to
>>>> do with secure origins, but same-origin policy. So I also have to keep
>>>> track of multiple ways in which my page may not work, for no other reason
>>>> than "browser refuses to do what is syntactically correct". It's a serious
>>>> barrier to adoption for new developers.
>>>> On Jul 13, 2016 6:29 AM, "Sean McBeth" <sean.mcbeth@primrosevr.com>
>>>> wrote:
>>>>
>>>>>
>>>>> On Jul 13, 2016 6:04 AM, "Martin Splitt" <mr.avgp@gmail.com> wrote:
>>>>>
>>>>> > >> We welcome feedback, especially if this policy makes your planned
>>>>> use case infeasible!
>>>>> > >
>>>>> > > TLS makes all kinds of things infeasible.
>>>>> >
>>>>> > Can you give a example?
>>>>>
>>>>> For one thing, your own file system is not considered a secure origin..
>>>>> I've ran into lots of people trying to get into WebVR that just don't
>>>>> understand what that means. They see a page, they see they can link to
>>>>> images on that page, they can double click on that file and see the
>>>>> results. It never occurs to then that they need to run a local web server.
>>>>> If they don't already know what that means, it's nearly impossible to
>>>>> explain the indirection. Why do they need a web server when the file is
>>>>> right there?
>>>>>
>>>>> I know several more people who have no idea how to setup a self-signed
>>>>> certificate on their machine to be able to test features on their own
>>>>> networks. OpenSSL is not that easy to install on Windows. A similar fiat
>>>>> decision was made for WebRTC. I eventually just copied the certs off of my
>>>>> production site and live with the cert warnings. S terrible solution to a
>>>>> stupid problem.
>>>>>
>>>>> Frankly, I've been a web dev for 20 years and it feels rather
>>>>> ridiculous that web dev is harder, more cumbersome *today*. I don't even
>>>>> get why disabling XmlHTTPRequest was necessary, rather than restricting it
>>>>> to the parent directory of the page.
>>>>>
>>>>> I agree with Florian. It's on Google to provide tools, not dictate how
>>>>> they are used.
>>>>>
>>>>
>>>
>>


-- 
Jaakko Manninen
CTO, Vizor.io
+358-44-989-1619
@Vizor_VR / @kschzt