----- Original Message ----- > From: "Anne van Kesteren" <[email protected]> > To: "Chris Palmer" <[email protected]> > Cc: "Patrick McManus" <[email protected]>, > [email protected], "Richard Barnes" > <[email protected]> > Sent: Friday, 19 September, 2014 1:52:18 PM > Subject: Re: Indicators for high-security features > > On Thu, Sep 18, 2014 at 8:23 PM, Chris Palmer <[email protected]> wrote: > > Assuming we don't expand the definition of the origin, unless we > > implement mixed-everything blocking — mixed EV & non-EV, mixed TLS 1.2 > > & 1.1, mixed AES-128 & AES-256, mixed pinned keys & non-pinned, et c. > > — then I don't think we should make any increased promise to the user. > > After all, the promise wouldn't be true. > > I'm not sure I follow. If there's mixed content you no longer get a > lock at all in Firefox. Obviously we should not revert that.
AFAIK, images do not trigger "mixed content" > > The hair I'd much rather split, by the way, is making each > > cryptographic identity a separate origin. Ponder for a moment how > > enjoyably impossible that will be... > > What are the issues? the vast majority of sites use external resources, CDNs, external APIs, google script hosting for popular libraries, etc. -- Regards, Hubert Kario _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
