require SSL for manifest origins?

RESOLVED FIXED

Status

()

Firefox
SocialAPI
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: mixedpuppy, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
determine whether we require SSL for social providers
Blocks: 733414
(Reporter)

Comment 1

5 years ago
mcoates: this bug is an open question, would like your opinion.  

Do we allow providers to serve off http, or do we require https?  I feel it would be nice to require https, but it might make development a bit rough.  I suppose if the host is "localhost" we can allow http.

Right now we are requiring same-origin (proto+host+port) for urls contained in the manifest.  If the manifest is served off http, all content will be http, likewise for https.
We discussed this in one of our status update calls with Mhanson, todd and others.

Plan is to require SSL for communications established via Social API. We set this as the standard and avoid any problems with future situations where sensitive data could be sent over HTTP.
(Reporter)

Comment 3

5 years ago
done, with tests

pushed https://github.com/mozilla/socialapi-dev/commit/35f157622bab37cb394c9d9bca67081163b2716a
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.