Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 756593 - require SSL for manifest origins?
: require SSL for manifest origins?
Product: Firefox
Classification: Client Software
Component: SocialAPI (show other bugs)
: unspecified
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Shane Caraveo (:mixedpuppy)
Depends on:
Blocks: 733414
  Show dependency treegraph
Reported: 2012-05-18 13:32 PDT by Shane Caraveo (:mixedpuppy)
Modified: 2012-05-23 16:34 PDT (History)
2 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Shane Caraveo (:mixedpuppy) 2012-05-18 13:32:14 PDT
determine whether we require SSL for social providers
Comment 1 Shane Caraveo (:mixedpuppy) 2012-05-22 11:23:51 PDT
mcoates: this bug is an open question, would like your opinion.  

Do we allow providers to serve off http, or do we require https?  I feel it would be nice to require https, but it might make development a bit rough.  I suppose if the host is "localhost" we can allow http.

Right now we are requiring same-origin (proto+host+port) for urls contained in the manifest.  If the manifest is served off http, all content will be http, likewise for https.
Comment 2 Michael Coates [:mcoates] (acct no longer active) 2012-05-23 09:14:00 PDT
We discussed this in one of our status update calls with Mhanson, todd and others.

Plan is to require SSL for communications established via Social API. We set this as the standard and avoid any problems with future situations where sensitive data could be sent over HTTP.
Comment 3 Shane Caraveo (:mixedpuppy) 2012-05-23 16:34:17 PDT
done, with tests


Note You need to log in before you can comment on or make changes to this bug.