Hi everyone. A couple of clarifications and thoughts.
- As mentioned before, there is no timeline for this deprecation. That's
one of the things that we're trying to figure out. We certainly will
consider the "ease of use" of SSL in the timeline. But in the meanwhile,
check out some of the references given earlier (e.g. sslmate,
letsencrypt.org, etc.).
- The problem with fullscreen is not just privacy; it's very much about
MitM attackers. If, for example,
http://example.com has a legitimate use
of fullscreen, and the user grants it, now *any* Man-in-the-Middle can
silently use this fullscreen feature. They could inject a phishing attack,
for example, Or, perhaps they could just abuse it for fullscreen ads. In
any case, the concern isn't necessarily
http://example.com, but an
attacker.
- As mentioned before, localhost is already considered a "secure
context", which should help as development. Additionally, we intend to
build a flag that will temporarily disable the secure origin requirement
for features for a specific origin. Thus, for testing, this should give a
lot of flexibility.
- I love the idea of restricting persistence of these permissions before
outright deprecation. I do not believe we've done this previously, but it's
certainly something we've discussed.
Keep the comments, thoughts, and ideas coming. Thanks!
--Joel
On Sat, Feb 28, 2015 at 8:14 AM Kevin Chadwick <
ma1l...@yahoo.co.uk>
wrote: