Let the user choose
I don't like "Secure Contexts"; even if the data is encrypted does not necessarily mean you want to enable that feature. I think that a "potentially trustworthy origin" should only be the last one: An origin that the user has "configured as a trustworthy origin". Such configuration can optionally allow specifying only the URI scheme and/or netmask and/or partial domain name and/or arbitrary regular expressions on the URI, in case you want to use the listed specification, or allow any computers in the LAN, or allow for everything, or for nothing at all. --24.207.47.161 02:07, 11 August 2018 (UTC)
- I'm interested in what kind of user interface to configure a UA with this level of control you recommend. Two constraints: non-technical users should understand it, and it should fit on the display of a phone. --Tepples (talk) 13:51, 11 August 2018 (UTC)
- The UI could be different on a small touch-screen compared with a PC. Also, different implementations could use a different UI, too (some might just use a text file, for example). For example, you could have a simple mode and advanced mode. For use by non-technical users to understand it, simple mode might have checkmarks for "secure servers", "this computer", and "local network" (the first two are selected by default, for compatibility with the existing specification; the third is unselected by default) and a list of domain names that you can edit to add/remove stuff. Advanced mode can have a list where each item can either be a regular expression (to match a full URL), or a combination of a netmask and port number range; either way each one also says allow/deny. Both the simple and advanced mode could fit on a phone display, I think (although the contents of the lists will not all be visible at once, compared to a full display where it can). --
24.207.47.161 17:33, 11 August 2018 (UTC)