From : Brandon Jones < : Brandon Jones < bajones@google.com



Message-ID : <CAEGwwi3C4-OL8EFiCH7Zb-r2e416JFAedMjTXUx+HvC2s+gMJg@mail.gmail.com>

To : public-webvr@w3.org



Following conversations with Chrome's security teams, we are now planning on making WebVR only available to secure origins when it officially launches. This is consistent with our current policy for powerful new features <https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features>, and we definitely consider WebVR to be a powerful feature! We are, in effect, giving sites the ability to take over not just your cursor or your screen but completely override one of your senses. It's prudent for us to ensure the digital reality we deliver to users is authenticated, integrity-checked, and confidential. We realize that some developers have strong opinions on this subject. We welcome feedback, *especially *if this policy makes your planned use case infeasible! But we also feel that the development community around a new feature like this is actually in the best position to gracefully handle this requirement. WebVR projects are less likely to have large amounts of legacy code that needs to be updated to support HTTPS. Additionally, efforts like Lets Encrypt are in full swing and make it easier than ever to make your sites secure. This change will not appear in my experimental binaries for a little while, but we wanted to make sure the community was aware of the change well in advance so that everyone has time to make the appropriate changes and provide us with any feedback you might have. Thanks! --Brandon Jones (PS: If you're reading this on web-vr-discuss@mozilla.org, I encourage you to join the public-webvr@w3.org mailing list! That's to official public mailing list for our community group <https://www.w3.org/community/webvr/> and the channel that will be used for communication like this in the future.)