Speaking as someone who (1) chaired the IETF working group on geolocation and privacy for several years, and (2) now manages PKI and crypto for Mozilla -- this is nonsense as stated. It is not our job to break the HTTP-schemed web to force everyone to HTTPS.
Users and web sites have been using geolocation on unauthenticated origins for several years now without major implications. The most common uses involve one-shot access to location for things like content customization. It's no more dangerous than me typing my address into a form. I could agree with Henri's suggestion in the bug that we should limit persistent permissions to authentication origins, as we do with gUM. But in neither case have I heard any coherent rationale for disabling the features entirely, beyond "Nobody should use HTTP anymore", which is clearly a non-starter. --Richard On Sep 26, 2014, at 3:58 PM, Anne van Kesteren <ann...@annevk.nl> wrote: > Exposing geolocation on unauthenticated origins was a mistake. Copying > that for getUserMedia() is too. I suggest that to protect our users we > make some noise about deprecating this practice. And that in that > message we convey we plan to disable both on unauthenticated origins > once 2015 is over. > > More immediately we should make it impossible to make persistent > grants for these features on unauthenticated origins. > > I can reach out to Google (and Apple & Microsoft I suppose, though I > haven't seen much from them on the pro-TLS front) to see if they would > be on board with this and help us spread the message. > > I filed > > https://bugzilla.mozilla.org/show_bug.cgi?id=1072859 > > for geolocation. > > > -- > https://annevankesteren.nl/ > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
