One idea that has been floated (https://bugzilla.mozilla.org/show_bug.cgi?id=1002676) is to restrict persistent permissions to secure origins. The reasoning there being that a persistent grant can be trivially intercepted if you work in the clear. That's a real security concern. One that gUM requires.
We might like to consider extending that to geolocation too. But it's not clear that the security benefits are outweighed by the inconvenience. The real solution is for those sites to get their act together, but that's a tall order. I agree with Henri and others who have said that we shouldn't be following Google's example regarding restricting feature access to secure origins though. ----- Original Message ----- From: "Ehsan Akhgari" <[email protected]> To: "Chris Peterson" <[email protected]>, [email protected] Sent: Friday, September 5, 2014 2:53:21 PM Subject: Re: Restricting gUM to authenticated origins only On 2014-09-05, 5:46 PM, Chris Peterson wrote: > > On 9/5/14 2:38 PM, Ehsan Akhgari wrote: >>> Google Maps and Yahoo Maps use HTTPS, but MapQuest and Bing Maps use >>> HTTP. Before we could restrict geolocation to authenticated origins, we >>> would need to convince Microsoft and MapQuest to use HTTPS (or whitelist >>> their sites). >> >> Those are not the only websites using the API. There are many more. I >> think we have probably lost our chance to make any changes here. > > Yes. Sorry, I didn't make myself clear. I meant that, if major map > websites like Bing and MapQuest are using geolocation without HTTPS, > then the longtail of HTTP sites is probably too long to ever fix. :\ Yep, unfortunately, agreed! _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
