On Mon, May 4, 2015 at 9:39 AM, Florian Bösch <pya...@gmail.com> wrote:
> On Mon, May 4, 2015 at 6:33 PM, Adam Roach <a...@mozilla.com> wrote: > > > You have made some well-thought-out contributions to conversations at > > Mozilla in the past. I'm a little sad that you're choosing not to > > participate in a useful way here. > > > > I think this is a pretty relevant contribution. Obviously it's not the kind > of story you want to hear. It's also not the story I want to hear. But we > can't pick and choose what we will get. And that's what you'll get: > > I have polled a client of mine which has a small web property that contains > a WebGL widget which does include a fullscreen button. > > Here is what I wrote that client: > > I'd like to inform you that it's likely that the fullscreen button will > > break in google chrome and firefox in the forseeable future (mid > > 2015-2016). For security reasons browsers want to disable fullscreen if > you > > are not serving the website over HTTPS. > > Starting mid 2015 a new SSL Certificate Authority will offer free > > certificates (https://letsencrypt.org/) > > Do you think you could host your site over HTTPS to prevent the > fullscreen > > button breaking? If required, I could also remove the fullscreen button. > > > The clients response below: > > I appreciate the heads up. > > Redesigning our site to use HTTPS is probably possible but I currently do > > not have time and resources to undertake that task. > > Would it be possible to let me know when you get the information that the > > first production Chrome or Firefox is released? At that time I can > > certainly disable the fullscreen function myself as this is real easy to > do > > in your .js file. > > > So yeah, again, Congrats. This would be more useful if you explained what they considered the cost of converting to HTTPS so, so we could discuss ways to ameliorate that cost. With that said, fullscreen is actually a good example of a feature which really benefits from being over HTTPS. Consider what happens if the user grants a persistent permission to site X to use fullscreen. At that point, any network attacker can take over the user's entire screen without their consent by pretending to be site X. Note that this is true *even if* the real version of site X doesn't do anything sensitive. So, I think it should be fairly easy to understand why we want to limit access to fullscreen over HTTP. -Ekr _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
