Why can bScheme be http:// when we only allow secure origins?

[kenchris]

Subject says it all

[sowbug]

On Chrome, localhost is considered secure even over HTTP. See https://www.chromium.org/Home/chromium-security/deprecating-powerful-features-on-insecure-origins

This is a significant developer convenience feature that doesn't meaningfully compromise security.

[kenchris]

Yes that is a development feature. Devices are not supposed to add local host to their allowed origins

[beaufortfrancois]

While you're developing with a WebUSB device, I think it does make sense to allow http:// there.

[kenchris]

Unless you instead allow access to localhost when enabled through devtools, without having the device to whitelist it. Another option is to leave out the scheme and detail in the spec that all schemes are considered https except localhost

[sowbug]

Kenneth, I wonder whether disallowing http:// would conflate policy and mechanism.

[reillyeon]

The only practical reason I see to disallow http:// as an option is if we wanted to remove the bScheme entirely as that would mean we could save a byte in URL descriptors. This then prevents us from adapting to new URL schemes. I think of bScheme mostly as a compression mechanism. We should probably add a "blank" option that would allow URL to contain a scheme.

Perhaps it was a mistake to attempt my own encoding scheme and we should instead simply reference the Eddystone URL format and call it a day.

[gabrielklein]

What I saw in some protocols is to have something like 0 => http:// 1 => https:// 2 => Defined in the URL.

As it gives more liberty to support URLS like whatapp://