<div dir="ltr"><div><div>It does seem to me that popup-blocking isn't a great fit for this list. AIUI this started from Chrome's intent to start moving "powerful" features to SSL-only (with this being a first step), and allowing popups doesn't seem like that kind of feature.<br><br></div>It's also worth noting that our popup blocker is not perfect, and there are various ways around it. So if a MITM attacker wants to inject popups into a non-SSL page, they'd presumably just do it in a way that doesn't require exceptions in the first place.<br><br></div>Justin<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 6, 2015 at 10:31 AM, Ehsan Akhgari <span dir="ltr"><<a href="mailto:ehsan.akhgari@gmail.com" target="_blank">ehsan.akhgari@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 2015-03-06 1:23 PM, <a href="mailto:andreas.gal@gmail.com" target="_blank">andreas.gal@gmail.com</a> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mar 6, 2015, at 6:18 PM, Ehsan Akhgari <<a href="mailto:ehsan.akhgari@gmail.com" target="_blank">ehsan.akhgari@gmail.com</a>> wrote:<br>
<br>
On 2015-03-06 1:14 PM, <a href="mailto:andreas.gal@gmail.com" target="_blank">andreas.gal@gmail.com</a> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Mar 6, 2015, at 5:52 PM, Anne van Kesteren <<a href="mailto:annevk@annevk.nl" target="_blank">annevk@annevk.nl</a>> wrote:<br>
<br>
On Fri, Mar 6, 2015 at 6:33 PM, <<a href="mailto:andreas.gal@gmail.com" target="_blank">andreas.gal@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Is the threat model for all of these permissions significant enough to warrant the breakage?<br>
</blockquote>
<br>
What breakage do you envision?<br>
</blockquote>
<br>
I can no longer unblock popups on sites that use HTTP. The web is a big place. It will take a long time for everyone to move.<br>
</blockquote>
<br>
I think Anne is not proposing that. He's proposing blocking persisting those permissions. IOW you would be able to still show popups from these websites, but you won't be able to ask Firefox to remember your preference.<br>
</blockquote>
<br></span>
I know but we will break the persisting. The user will be annoyed that popup unblocking doesn’t work as expected on HTTP sites.<br>
<br>
I am all for securing dangerous permissions but popups and notifications seems more like we are wagging our finger at the user in unhelpful ways. Most users will simply think Firefox is broken.<br>
</blockquote>
<br>
Notifications are a much newer feature than pop-ups and are not as widely used yet, so hopefully with the case of notifications we can stop persisting the permission right now without having too many people wonder why they can't persist the permission. Perhaps it makes more sense to start with geolocation, fullscreen and pointerlock first.<br>
<br>
One thing to note is that there are still large Web properties which at least use geolocation and fullscreen from HTTP (Bing Maps for example for geolocation, and <a href="http://player.vimeo.com" target="_blank">player.vimeo.com</a> for embedded vimeo videos usin fullscreen). We should probably start evangelizing this sooner than later to those Web sites, and perhaps also to the general developer community through a hacks blog post and similar venues.<div class="HOEnZb"><div class="h5"><br>
______________________________<u></u>_________________<br>
firefox-dev mailing list<br>
<a href="mailto:firefox-dev@mozilla.org" target="_blank">firefox-dev@mozilla.org</a><br>
<a href="https://mail.mozilla.org/listinfo/firefox-dev" target="_blank">https://mail.mozilla.org/<u></u>listinfo/firefox-dev</a><br>
</div></div></blockquote></div><br></div>