Closed Bug 756593 Opened 12 years ago Closed 12 years ago

require SSL for manifest origins?

Categories

(Firefox Graveyard :: SocialAPI, defect)

Product:
Firefox Graveyard
Component:
SocialAPI
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mixedpuppy, Unassigned)

References

Details

determine whether we require SSL for social providers
mcoates: this bug is an open question, would like your opinion.  

Do we allow providers to serve off http, or do we require https?  I feel it would be nice to require https, but it might make development a bit rough.  I suppose if the host is "localhost" we can allow http.

Right now we are requiring same-origin (proto+host+port) for urls contained in the manifest.  If the manifest is served off http, all content will be http, likewise for https.
We discussed this in one of our status update calls with Mhanson, todd and others.

Plan is to require SSL for communications established via Social API. We set this as the standard and avoid any problems with future situations where sensitive data could be sent over HTTP.
done, with tests

pushed https://github.com/mozilla/socialapi-dev/commit/35f157622bab37cb394c9d9bca67081163b2716a
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Product: Firefox → Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.