On 2014-09-05, 4:37 PM, Chris Peterson wrote:
On 9/5/14 4:39 AM, Henri Sivonen wrote:
>* Geolocation
In principle, I think geolocation should be restricted to
authenticated origins. Unfortunately, it might be too late
compatibility-wise to do that at this point. Also, since the
geolocation responses are easily proxied over postMessage, I think the
potential for wind is less than with gUM, whose response is a special
kind of object that doesn't travel (I hope!) over postMessage.
Google Maps and Yahoo Maps use HTTPS, but MapQuest and Bing Maps use
HTTP. Before we could restrict geolocation to authenticated origins, we
would need to convince Microsoft and MapQuest to use HTTPS (or whitelist
their sites).
Those are not the only websites using the API. There are many more. I
think we have probably lost our chance to make any changes here.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
