Last Comment Bug 756593 - require SSL for manifest origins?
: require SSL for manifest origins?
Status: RESOLVED FIXED
:
Product: Firefox
Classification: Client Software
Component: SocialAPI (show other bugs)
: unspecified
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
Depends on:
Blocks: 733414
  Show dependency treegraph
 
Reported: 2012-05-18 13:32 PDT by Shane Caraveo (:mixedpuppy)
Modified: 2012-05-23 16:34 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Shane Caraveo (:mixedpuppy) 2012-05-18 13:32:14 PDT
determine whether we require SSL for social providers
Comment 1 Shane Caraveo (:mixedpuppy) 2012-05-22 11:23:51 PDT
mcoates: this bug is an open question, would like your opinion.  

Do we allow providers to serve off http, or do we require https?  I feel it would be nice to require https, but it might make development a bit rough.  I suppose if the host is "localhost" we can allow http.

Right now we are requiring same-origin (proto+host+port) for urls contained in the manifest.  If the manifest is served off http, all content will be http, likewise for https.
Comment 2 Michael Coates [:mcoates] (acct no longer active) 2012-05-23 09:14:00 PDT
We discussed this in one of our status update calls with Mhanson, todd and others.

Plan is to require SSL for communications established via Social API. We set this as the standard and avoid any problems with future situations where sensitive data could be sent over HTTP.
Comment 3 Shane Caraveo (:mixedpuppy) 2012-05-23 16:34:17 PDT
done, with tests

pushed https://github.com/mozilla/socialapi-dev/commit/35f157622bab37cb394c9d9bca67081163b2716a

Note You need to log in before you can comment on or make changes to this bug.