Ryan Sleevi <r...@sleevi.com> writes: >I hope you can see how I responded to precisely the problem provided.
You responded to that one specific limited instance. That doesn't work for anything else where you've got a service that you want to make available over HTTPS. Native messaging is a hack to get around a problem with browsers, as soon as you move off the local machine it reappears again, which is what I was pointing out. Since this is something that keeps cropping up, and from all signs will keep on cropping up, perhaps the browser vendors could publish some sort of guide/BCP on how to do it right that everyone could follow. For example: HTTPS to localhost: Use Native Messaging HTTPS to device on local network (e.g. RFC 1918): ??? HTTPS to device with non-FQDN: ??? HTTPS to device with static IP address: ??? This would solve... well, at least take a step towards solving the same issue that keeps coming up again and again. If there's a definitive answer, developers could refer to that and get it right. Oh, and saying "you need to negotiate a custom deal with a commercial/public/whatever-you-want-to-call-it CA" doesn't count as a solution, it has to be something that's actually practical. Peter. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
