New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 24 users

Issue metadata

Status: WontFix
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug
Team-Security-UX



Sign in to add a comment

Do not persist permissions for powerful features on insecure origins

Project Member Reported by mlamouri@chromium.org, Mar 6 2015 Back to list

Issue description

As a step toward deprecating powerful features on insecure origins, we should stop persisting those permissions.

A first short list would include:
- geolocation
- getUserMedia
- fullscreen
- pointer lock

This is going to require:
- update in Chrome site settings UI
- update in Chrome Android site settings UI
- update how the request granting is handled
 
Cc: ddorwin@chromium.org xhw...@chromium.org
Also Protected Media Identifier (EME)
Cc: lgar...@chromium.org
Is there an ETA which version will make use of secure origins for EME mandatory?

Comment 4 by jww@chromium.org, Jul 28 2015

No, we have not come up with a timeline yet (ddorwin@ can correct me if I'm mistaken).

Comment 5 by palmer@chromium.org, Aug 26 2015

Cc: palmer@chromium.org
Labels: Cr-Security Cr-Security-UX

Comment 6 by Deleted ...@, Sep 1 2015

This appears to be broken in Chrome and Chrome Canary at the moment. See this bug report: http://stackoverflow.com/questions/32328133/in-new-chrome-44-0-2403-157-geolocations-doesnt-works#_=_

Comment 7 by jww@chromium.org, Sep 1 2015

rabinowitz.dan: No change has been made in Chrome re: persistence of Geolocation (this is a tracker bug for when we *do* decide to make that change). If you've experienced the possible bug discussed in that stackoverflow post, can you file a new bug so we can track down what's going wrong? Thanks!

Comment 10 Deleted

Comment 11 Deleted

Cc: mlamouri@chromium.org
Owner: ----
Status: Available (was: NULL)
Labels: -Cr-Permissions Cr-Internals-Permissions

Comment 14 by gluc...@gmail.com, Jan 3 2016

Please please please do not stop geolocation for HTTP origins!
With our national Currency like 0.01 from the USD it will very expensive... :( we have no possibility to move to HTTPS... :(

Comment 15 by f...@chromium.org, Jan 4 2016

gluck59: You can get certificates for free now, for example from https://letsencrypt.org/.
Any news on the timeline/ETA for making use of secure origins for EME mandatory?
Owner: ddorwin@chromium.org
geolocation and getUserMedia require https. fullscreen and pointerlock don't have permissions anymore. EME is the only other one mentioned here.

ddorwin can I assign this to you? Should we open a new bug for EME only?
Status: Assigned (was: Available)
Components: -Security>UX Internals>Permissions>Model
Components: -Security>UX Internals>Permissions>Model
Components: -Internals>Permissions
Status: WontFix (was: Assigned)
Support for insecure usage of EME is being removed: https://groups.google.com/a/chromium.org/forum/?pli=1#!topic/blink-dev/tXmKPlXsnCQ.

Per #17, this is the only other API mentioned, so I'm closing this.

Sign in to add a comment