Require HTTPS?

[zachernuk]

One of the goals of Model is to not require any sensitive data from the user/UA to display the content. On the other hand, it seems like there is a general enthusiasm for encouraging new features to require HTTPS. It's also the case that model content (be it USDZ, glTF or any other rich definition) is also a more complicated resource to parse and pull apart, so it might be understood to need HTTPS for that reason too.

Where do folks in the CG stand on this? It's likely that WHATWG will have a significant hand in deciding the right choice, but it's good for us to present an opinion.
/facetoface

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts

https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts

[DRx3D]

Looking through the list on the second link, it seems that there are many useful features that are (or future desired) involved in AI applications. These include (non-exhaustive) APIs for audio, barcode (perhaps QR too), gamepad, geolocation, virtual keyboard, and service workers.

Is the only downside to require a certificate when doing localhost work?

[bialpio]

Is the only downside to require a certificate when doing localhost work?

Chiming in to say that localhost is considered to be a secure context so a certificate should not be needed when developing locally.

[AdaRoseCannon]

The rough consensus from the meeting seemed to be that we are okay going with https from the get go provided there are ways to access localhost.