On 12/20/2016 06:20 PM, Edmund Wong wrote:
Richard Barnes wrote:
Broadly speaking, this plan would entail limiting new features to secure
contexts, followed by gradually removing legacy features from insecure
contexts. Having an overall program for HTTP deprecation makes a clear
statement to the web community that the time for plaintext is over -- it
There is nothing wrong with plaintext just as long as it isn't something
credential-like. Also, what you're doing will only make a clear
statement to the web community that you are forcing something on them
and limiting THEIR choices of broadcasting their information as they
see fit.
IOW, "deprecating HTTP" is not a good idea.
If I have a browser exploit that I can embed in a <script> tag, I can
inject it into all of the HTTP network traffic on my LAN. Not so nice if
visiting an HTTP website at Starbucks or the public library gets you pwned.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
