Hi Gerv, Gervase Markham wrote: > Hmm... unless they are totally JS-driven. I think so... >> 2.) Should secured pages include such content as third party adverts, >> third party analytics and other stuff which might track movement and >> content to a third party? Personally I think this would be a basic >> breach of the initial purpose of privacy and encrypting content. >> > > Just like with any site, you need to assess the practices of the site > before deciding to give them any information about yourself. Correct. In case of mixed content we are warning the user in some form... > EV doesn't > change this; it just makes it more clear who owns the site. > Right. But perhaps if we'd prevent or warn about "mixing content" here as well, it would be make it clearer than silently accept it... > > Hmm. I guess we need to decide how we view the model. If we say that > someone using an EV certificate at the top level is taking > responsibility for whatever content they include, then actually we > should be happy to use Microsoft's model - just use the EV-ness of the > top-level page. Or as somebody else mentioned, an attack via a compromised site could be prevented. Not that I believe that anybody would bother with EV right now - but such an attack would be almost perfect...some food for thought for MS as well ;-)
Do the EV guidelines say anything about that? Is there even an expected behavior by the user and/or software vendor defined in that respect? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
