determine whether we require SSL for social providers
mcoates: this bug is an open question, would like your opinion. Do we allow providers to serve off http, or do we require https? I feel it would be nice to require https, but it might make development a bit rough. I suppose if the host is "localhost" we can allow http. Right now we are requiring same-origin (proto+host+port) for urls contained in the manifest. If the manifest is served off http, all content will be http, likewise for https.
We discussed this in one of our status update calls with Mhanson, todd and others. Plan is to require SSL for communications established via Social API. We set this as the standard and avoid any problems with future situations where sensitive data could be sent over HTTP.
done, with tests pushed https://github.com/mozilla/socialapi-dev/commit/35f157622bab37cb394c9d9bca67081163b2716a