When plans like this aren't rolled out across all browsers together, users inevitably come across a broken site and say "Firefox works with this site, but Safari gives a warning. Safari must be broken". Better security is punished.
Having this determined by a browser release is also bad. "My up to date Firefox is broken, but my old Safari works. Updating breaks things and must be bad!". Secure practices are punished. All browsers could change their behaviour on a specific date and time. But that would lead to stampedes of webmasters having issues all at once. And if theres any unforeseen compatibility issue, you just broke the entire world. Not so great. So might I suggest the best rollout plan is to apply policies based on a hash of the origin and a timestamp. Ie. on a specific date, 1% of sites have the new policies enforced, while 99% do not. Then a month later, it's up to 51%, and another month later it's up to 100%. Web masters can now see the date and time policies will be enforced for their site, and there is no risk of breaking the entire internet on the same day. Developer builds could apply the policies a few weeks early to give a heads up. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
