Please note that the main discussion for this is intended to be on the blin...@chromium.org mailing list (https://groups.google.com/a/chromium.org/forum/#!forum/blink-dev). However, to alert relevant groups of the intent, we have bcc’d the following lists on this email:
public-h...@w3.org
We want to start applying the concepts in https://w3c.github.io/webappsec/specs/powerfulfeatures/ to features that have already shipped and which do not meet the (new, not present at the time) requirements. We want to start by requiring secure origins for these existing features:
- Device motion / orientation
- EME
- Fullscreen
- Geolocation
- getUserMedia
As with gradually marking HTTP as non-secure (https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure), we expect to gradually migrate these features to secure-only, based on thresholds of usage, starting with lowest usage and moving towards higher. We also expect to gradually indicate in the UX that the features are deprecated for non-secure origins.
The deprecation strategy for each of these features is not decided on and may very well differ from feature to feature. We don’t currently know what the thresholds will be, or how heavily used the features are on what kinds of origins. We are in the process of gathering data, and will report back when we have it. There are no firm plans at all at this time, other than eventual deprecation. We intend for this to stimulate a public discussion of the best way to approach this deprecation. So, to that point, we'd love to hear what the community thinks.
Thanks,
Joel Weinberger, Chrome Security
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
I should also mention that, generically, we believe all of these features fit under the "requires privileged context" definition as proposed in https://w3c.github.io/webappsec/specs/powerfulfeatures/#feature-requires-privilege. If you disagree, of course please make the case.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
A good first step would be to add use counters in all of the places where an API would fail on an insecure origin.
I note that Fullscreen it isn't in the Privileged Contexts list, but that's OK, I think these changes should be accepted into the respective specs, even if optional to implement. For example, the fullscreen element ready check would be the place for Fullscreen. Otherwise there's a chance that the point of failure (which could be observable) is different in different browsers.
What is going to be the protocol for development environment? Should one deal with ssl just to quickly test out the code?
What if a service streams video, which requires full screen feature? It takes quite a bit more compute power to pack it into encrypted connection, and what if the video is not of any value as a secure content. Why should people be forced to encrypt and decrypt spending extra power (battery, in case of portable devices) on it?
SSL does not guarantee the security de-facto.
Also, there is plenty of personal data that is being passed through a non-encrypted connection, which is way more valuable.
adding these restrictions is equivalent to telling developers that they must now pay to unlock features of the browser.
I worry these changes will hamper creativity and innovation among hobbyists and independent developers. I cannot imagine jumping through hoops and SSL configurations just to get a small Canvas, WebGL or WebVR experiment off the ground.One of the most attractive aspects of web programming -- and one of the reasons the JavaScript creative/interactive community is currently booming with beginners and experts alike -- is the extremely low barrier to entry. Complex applications and rich artistic experiences utilizing device motion, webcam, geolocation, etc are easy to build, and even easier for others to open up and view.A few examples of projects and experiments that might be hampered with higher barriers and increased restrictions:
I did mention these concerns on Twitter and people proposed some possible solutions that would be much less onerous than fully restricting Fullscreen API to HTTPS only:- show originating URL on fullscreen warning
On Fri, Feb 27, 2015 at 7:48 PM, <postf...@gmail.com> wrote:[snip]I did mention these concerns on Twitter and people proposed some possible solutions that would be much less onerous than fully restricting Fullscreen API to HTTPS only:- show originating URL on fullscreen warningThis may be the core of some misunderstanding. When a browser receives a page over HTTP, there is no originating URL since anyone on its network could have replaced the content. HTTPS makes the difference between "Do you trust foo.com to use your X?" and "Do you trust the folks sitting at your coffee shop, your ISP, several other network providers, and foo.com to use your X?"