On Mon, Apr 13, 2015 at 12:11 PM, Gervase Markham <g...@mozilla.org> wrote: > Are you sure "privileged contexts" is the right phrase? Surely contexts > are "secure", and APIs or content is "privileged" by being only > available in a secure context?
There was a long-winded group bike-shed-painting session on the public-webappsec list and this is the term they ended up with. I don't believe that it is the right term either, FWIW. > There's nothing wrong with your plan, but that's partly because it's > hard to disagree with your principle, and the plan is pretty high level. > I think the big arguments will be over when and what features require a > secure context, and how much breakage we are willing to tolerate. Not much, but maybe more than we used to. > I know the Chrome team have a similar plan; is there any suggestion that > we might coordinate on feature re-privilegings? Yes, the intent is definitely to collaborate, as the original email stated. Chrome isn't the only stakeholder, which is why we suggested that we go to the W3C so that the browser formerly known as IE and Safari are included. > Would we put an error on the console when a privileged API was used in > an insecure context? Absolutely. That's likely to be a first step once the targets have been identified. That pattern has already been established for bad crypto and a bunch of other things that we don't like but are forced to tolerate for compatibility reasons. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform