On Fri, Mar 6, 2015 at 9:27 AM, Anne van Kesteren <ann...@annevk.nl> wrote: > I suggest we stop offering that > functionality when there's no lock in the address bar.
Anne, thanks for doing this. +1 from me. I've opened bugs on this in the past, but this is definitely a better forum for having the discussion. On Fri, Mar 6, 2015 at 9:33 AM, <andreas....@gmail.com> wrote: > Is the threat model for all of these permissions significant enough to > warrant the breakage? Popups for example are annoying, but a spoofed origin > to take advantage of whitelisted popups seems not terribly dangerous. The important thing to note is that this doesn't break sites, it just removes that avenue of attack. You might say that having a local network attacker able to see what your webcam is looking at is not scary, but I'm going to disagree. Also c.f. RFC 7258. It gets quite a lot more serious when an attacker is able to persist their attack beyond their initial interaction. For instance, if the attacker can persist scripts for an origin, they can add a bug that persists beyond their initial attack, as long as the site is visited. And of course, while an attacker is able to actively participate, any unsecured site can be modified so that the attacker can harvest the permission, as long as they can guess a site that has the permission persisted. On balance - though this is only my opinion - the risk of annoyance is worth it. If you like to use a stick (I don't), you can consider this incentive for sites to move to HTTPS. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
