Re: http-schemed URLs and HTTP/2 over unauthenticated TLS (was: Re: WebCrypto for http:// origins)

2014-09-12 Thread Adam Roach
On 9/12/14 10:07, Trevor Saunders wrote: [W]hen it comes to the NSA we're pretty much just not going to be able to force everyone to use something strong enough they can't beat it. Not to get too far off onto this sidebar, but you may find the following illuminating; not just for potentially a

Re: Per-origin versus per-domain restrictions (Re: Restricting gUM to authenticated origins only)

2014-09-12 Thread Martin Thomson
On 12/09/14 13:59, Anne van Kesteren wrote: But shouldn't it be aware of this so you can adequately scope the permission? E.g. I could granthttps://amazingmaps.example/ when embedded throughhttps://okaystore.invalid/ permission to use my location. But it would not be given out if it were embedd

Re: Per-origin versus per-domain restrictions (Re: Restricting gUM to authenticated origins only)

2014-09-12 Thread Anne van Kesteren
On Fri, Sep 12, 2014 at 8:44 PM, Ehsan Akhgari wrote: > The permission manager itself is unaware of browsing contexts, it is the > consumer which decides how to query it. But shouldn't it be aware of this so you can adequately scope the permission? E.g. I could grant https://amazingmaps.example/

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS

2014-09-12 Thread Martin Thomson
On 12/09/14 13:37, Anne van Kesteren wrote: That is something that we should have fixed a long time ago. It's called and is these days also part of CSP. I'll forward that on to those involved. Thanks. ___ dev-platform mailing list dev-platform@lists

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS (was: Re: WebCrypto for http:// origins)

2014-09-12 Thread Anne van Kesteren
On Fri, Sep 12, 2014 at 6:06 PM, Martin Thomson wrote: > And the restrictions on the Referer header field also mean that some > resources can’t be served over HTTPS (their URL shortener is apparently the > last hold-out for http:// at Twitter). That is something that we should have fixed a long

Re: Per-origin versus per-domain restrictions (Re: Restricting gUM to authenticated origins only)

2014-09-12 Thread Jonas Sicking
On Fri, Sep 12, 2014 at 11:44 AM, Ehsan Akhgari wrote: >> If we rewrite I think it would be good to take top-level browsing >> context partitioning under consideration. That is, if I navigate to >> https://example/ and grant it the ability to do X. And then navigate >> to https://elsewhere.invalid

Re: Intent to implement: Touchpad event

2014-09-12 Thread Ehsan Akhgari
On Thu, Sep 11, 2014 at 7:02 PM, Jonas Sicking wrote: > On Thu, Sep 11, 2014 at 3:21 PM, Ehsan Akhgari > wrote: > > On 2014-09-11, 5:54 PM, smaug wrote: > >> If we just needs new coordinates, couldn't we extend the existing event > interfaces with some new properties? > > > > Yeah, this seems li

Re: Per-origin versus per-domain restrictions (Re: Restricting gUM to authenticated origins only)

2014-09-12 Thread Ehsan Akhgari
On 2014-09-12, 6:22 AM, Anne van Kesteren wrote: On Fri, Sep 12, 2014 at 11:56 AM, Frederik Braun wrote: Yes and no. I identified this while working on a thesis on the Same Origin Policy in 2012 and filed this only for Geolocation in bug . B

Re: web-platform-tests now running in automation

2014-09-12 Thread James Graham
On 10/09/14 19:32, Aryeh Gregor wrote: > On Tue, Sep 9, 2014 at 3:44 PM, James Graham wrote: >> Yes, I agree too. One option I had considered was making a suite >> "web-platform-tests-mozilla" for things that we can't push upstream e.g. >> because the APIs aren't (yet) undergoing meaningful standa

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS (was: Re: WebCrypto for http:// origins)

2014-09-12 Thread Martin Thomson
On 2014-09-11, at 22:55, Henri Sivonen wrote: > Moreover, https://tools.ietf.org/html/draft-ietf-httpbis-http2-encryption-00 > has the performance overhead of TLS, so it doesn't really address the > "TLS takes too much compute power" objection to https, which is the > usual objection from big sit

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS (was: Re: WebCrypto for http:// origins)

2014-09-12 Thread Trevor Saunders
On Fri, Sep 12, 2014 at 08:55:51AM +0300, Henri Sivonen wrote: > On Thu, Sep 11, 2014 at 9:00 PM, Richard Barnes wrote: > > > > On Sep 11, 2014, at 9:08 AM, Anne van Kesteren wrote: > > > >> On Thu, Sep 11, 2014 at 5:56 PM, Richard Barnes > >> wrote: > >>> Most notably, even over non-secure ori

Re: http-schemed URLs and HTTP/2 over unauthenticated TLS (was: Re: WebCrypto for http:// origins)

2014-09-12 Thread Patrick McManus
On Fri, Sep 12, 2014 at 1:55 AM, Henri Sivonen wrote: > tion to https > that obtaining, provisioning and replacing certificates is too > expensive. > Related concepts are at the core of why I'm going to give Opportunistic Security a try with http/2. The issues you cite are real issues in practic

Re: Per-origin versus per-domain restrictions (Re: Restricting gUM to authenticated origins only)

2014-09-12 Thread Frederik Braun
On 12.09.2014 12:22, Anne van Kesteren wrote: > On Fri, Sep 12, 2014 at 11:56 AM, Frederik Braun wrote: >> Yes and no. I identified this while working on a thesis on the Same >> Origin Policy in 2012 and filed this only for Geolocation in bug >>

Re: Per-origin versus per-domain restrictions (Re: Restricting gUM to authenticated origins only)

2014-09-12 Thread Anne van Kesteren
On Fri, Sep 12, 2014 at 11:56 AM, Frederik Braun wrote: > Yes and no. I identified this while working on a thesis on the Same > Origin Policy in 2012 and filed this only for Geolocation in bug > . > > But the general solution might be a permissi

Re: Intent to implement: Touchpad event

2014-09-12 Thread Kershaw Chang
Hi Jonas, That’s a good point. I agree with you that we should only expose this to certified or privileged apps. Thanks and regards, Kershaw 於 2014/9/12 上午1:22,"Jonas Sicking" 寫道: >Hi Kershaw, > >Has there been any discussions with other browser vendors about this >API? Or is there an official

Per-origin versus per-domain restrictions (Re: Restricting gUM to authenticated origins only)

2014-09-12 Thread Frederik Braun
On 12.09.2014 11:51, Henri Sivonen wrote: > On Fri, Sep 12, 2014 at 12:39 PM, Frederik Braun wrote: >> On 11.09.2014 19:04, Anne van Kesteren wrote: >>> On Thu, Sep 11, 2014 at 6:58 PM, Martin Thomson wrote: On 2014-09-11, at 00:56, Anne van Kesteren wrote: > Are we actually partitionin

Re: Restricting gUM to authenticated origins only

2014-09-12 Thread Henri Sivonen
On Fri, Sep 12, 2014 at 12:39 PM, Frederik Braun wrote: > On 11.09.2014 19:04, Anne van Kesteren wrote: >> On Thu, Sep 11, 2014 at 6:58 PM, Martin Thomson wrote: >>> On 2014-09-11, at 00:56, Anne van Kesteren wrote: Are we actually partitioning permissions per top-level browsing contex

Re: Restricting gUM to authenticated origins only

2014-09-12 Thread Frederik Braun
On 11.09.2014 19:04, Anne van Kesteren wrote: > On Thu, Sep 11, 2014 at 6:58 PM, Martin Thomson wrote: >> On 2014-09-11, at 00:56, Anne van Kesteren wrote: >>> Are we actually partitioning permissions per top-level browsing >>> context or could they already accomplish this through an ? >> >> As f