I would also add that I've seen cases where attempting to allow a blocked popup doesn't work, you have to allow the site then reload the page that triggered the popup. Obviously that is a bug in our code that we should fix but until we do removing the permission option would entirely break these sites.
On Fri, Mar 6, 2015 at 12:06 PM, Justin Dolske <dol...@mozilla.com> wrote: > It does seem to me that popup-blocking isn't a great fit for this list. > AIUI this started from Chrome's intent to start moving "powerful" features > to SSL-only (with this being a first step), and allowing popups doesn't > seem like that kind of feature. > > It's also worth noting that our popup blocker is not perfect, and there > are various ways around it. So if a MITM attacker wants to inject popups > into a non-SSL page, they'd presumably just do it in a way that doesn't > require exceptions in the first place. > > Justin > > On Fri, Mar 6, 2015 at 10:31 AM, Ehsan Akhgari <ehsan.akhg...@gmail.com> > wrote: > >> On 2015-03-06 1:23 PM, andreas....@gmail.com wrote: >> >>> >>> On Mar 6, 2015, at 6:18 PM, Ehsan Akhgari <ehsan.akhg...@gmail.com> >>>> wrote: >>>> >>>> On 2015-03-06 1:14 PM, andreas....@gmail.com wrote: >>>> >>>>> >>>>> On Mar 6, 2015, at 5:52 PM, Anne van Kesteren <ann...@annevk.nl> >>>>>> wrote: >>>>>> >>>>>> On Fri, Mar 6, 2015 at 6:33 PM, <andreas....@gmail.com> wrote: >>>>>> >>>>>>> Is the threat model for all of these permissions significant enough >>>>>>> to warrant the breakage? >>>>>>> >>>>>> >>>>>> What breakage do you envision? >>>>>> >>>>> >>>>> I can no longer unblock popups on sites that use HTTP. The web is a >>>>> big place. It will take a long time for everyone to move. >>>>> >>>> >>>> I think Anne is not proposing that. He's proposing blocking persisting >>>> those permissions. IOW you would be able to still show popups from these >>>> websites, but you won't be able to ask Firefox to remember your preference. >>>> >>> >>> I know but we will break the persisting. The user will be annoyed that >>> popup unblocking doesn’t work as expected on HTTP sites. >>> >>> I am all for securing dangerous permissions but popups and notifications >>> seems more like we are wagging our finger at the user in unhelpful ways. >>> Most users will simply think Firefox is broken. >>> >> >> Notifications are a much newer feature than pop-ups and are not as widely >> used yet, so hopefully with the case of notifications we can stop >> persisting the permission right now without having too many people wonder >> why they can't persist the permission. Perhaps it makes more sense to >> start with geolocation, fullscreen and pointerlock first. >> >> One thing to note is that there are still large Web properties which at >> least use geolocation and fullscreen from HTTP (Bing Maps for example for >> geolocation, and player.vimeo.com for embedded vimeo videos usin >> fullscreen). We should probably start evangelizing this sooner than later >> to those Web sites, and perhaps also to the general developer community >> through a hacks blog post and similar venues. >> >> _______________________________________________ >> firefox-dev mailing list >> firefox-...@mozilla.org >> https://mail.mozilla.org/listinfo/firefox-dev >> > > > _______________________________________________ > firefox-dev mailing list > firefox-...@mozilla.org > https://mail.mozilla.org/listinfo/firefox-dev > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
