Please keep in mind that the origin is the security boundary on the web, and is defined as being (scheme, host, port).
Assuming we don't expand the definition of the origin, unless we implement mixed-everything blocking — mixed EV & non-EV, mixed TLS 1.2 & 1.1, mixed AES-128 & AES-256, mixed pinned keys & non-pinned, et c. — then I don't think we should make any increased promise to the user. After all, the promise wouldn't be true. Let's keep our eye on the ball *currently in play*: Getting all origins up to the minimum standard of nominally-secure transport. Once we achieve that, then we can consider splitting finer hairs. The hair I'd much rather split, by the way, is making each cryptographic identity a separate origin. Ponder for a moment how enjoyably impossible that will be... _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
