On 2014-09-30, 4:29 AM, Henri Sivonen wrote:
More immediately we should make it impossible to make persistent
grants for these features on unauthenticated origins.
This I agree with when it comes to privacy-sensitive API: Granting a
persistent permission to an http: origin amounts to granting a
persistent permission to everyone who in the future has a chance of
performing an active MITM attack on you.
I also think that we should definitely stop persisting the geolocation
permission grant for non-authenticated origins. I'm not really sure if
web compat allows us to remove support for the API completely (although
admittedly I don't have data on this.)
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
