- From: Joel Weinberger <jww@chromium.org>
- Date: Fri, 27 Feb 2015 00:03:50 +0000
- To: blink-dev <blink-dev@chromium.org>
- Message-ID: <CAHQV2K=rmkFo5fNrmZjtQDPkJq_rLH8-zM2BaEEDUg9=ZGBh2g@mail.gmail.com>
(+www-tag@w3.org to bcc) On Thu Feb 26 2015 at 3:25:43 PM Joel Weinberger <jww@chromium.org> wrote: > Please note that the main discussion for this is intended to be on the > blink-dev@chromium.org mailing list ( > https://groups.google.com/a/chromium.org/forum/#!forum/blink-dev). > However, to alert relevant groups of the intent, we have bcc’d the > following lists on this email: > > security-dev@chromium.org > > dev-security@lists.mozilla.org > > public-webappsec@w3.org > > public-web-notification@w3.org > > public-device-apis@w3.org > > public-geolocation@w3.org > > public-html-media@w3.org We want to start applying the concepts in > https://w3c.github.io/webappsec/specs/powerfulfeatures/ to features that > have already shipped and which do not meet the (new, not present at the > time) requirements. We want to start by requiring secure origins for these > existing features: - Device motion / orientation - EME - Fullscreen - > Geolocation - getUserMedia As with gradually marking HTTP as non-secure ( > https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure), > we expect to gradually migrate these features to secure-only, based on > thresholds of usage, starting with lowest usage and moving towards higher. > We also expect to gradually indicate in the UX that the features are > deprecated for non-secure origins. The deprecation strategy for each of > these features is not decided on and may very well differ from feature to > feature. We don’t currently know what the thresholds will be, or how > heavily used the features are on what kinds of origins. We are in the > process of gathering data, and will report back when we have it. There are > no firm plans at all at this time, other than eventual deprecation. We > intend for this to stimulate a public discussion of the best way to > approach this deprecation. So, to that point, we'd love to hear what the > community thinks. > > > Thanks, > > Joel Weinberger, Chrome Security >
Received on Friday, 27 February 2015 00:04:19 UTC