On Tue, Oct 25, 2016 at 6:51 PM, Chris Peterson <cpeter...@mozilla.com> wrote: > What is the threat model for geolocation over HTTP? That a coffee shop, ISP, > or Big Brother will MITM a non-secure site so as to sniff a user's location? > To reduce location leaks without breaking non-secure geolocation, perhaps we > could always require door hanger permission for geolocation requests on HTTP > sites?
The basic problem is prompting the user at all for non-HTTPS since that leads them to think they can make an informed decision whereas that's very much unclear. So prompting more would just make the problem worse. We want to get to a place where when we prompt the user on behalf of a website we have some certainty who is asking the question (i.e., HTTPS). -- https://annevankesteren.nl/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform