Justin Dolske wrote: > What problem would doing this address? > > I agree that mixing SSL and non-SSL is something the user might be > concerned about, but I'm not sure I see a reason for wanting to know if > EV-SSL and vanilla-SSL is being mixed.
One thought: because Firefox does not warn you if the different page components come from different domains, that means that if there was an XSS hole in the EV-protected site, a phisher could buy a $25 cert and make sure their injected content appeared without complaint. Eddy gives another problem that doing this addresses. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
