Security:SSLErrorPages: Difference between revisions

← Older edit

Security:SSLErrorPages (view source)

Revision as of 13:39, 19 July 2007

No change in size , 19 July 2007

m

→‎Mixed Content

Johnath

Confirmed users

1,349

edits

@@ Line 44: / Line 44: @@
 Blocking this second kind of mixed content is consistent with the change in behaviour for the top level page, but fails to give users the same error text explaining the problem and mentioning the possibility of adding an exception.  An option presented in the newsgroups and elsewhere would be to notify-bar in that case, but my concern is that the notification bar is relatively sparse as a mechanism for communicating about what is happening, and will lend itself too easily, I think, to one-click fix-it buttons.
-My initial reaction here would be to treat it like other mixed content, which is to say that if we can't verify it at least as far as a valid, signed, non-expired cert, it doesn't belong on a secure page.  In the strange-but-brought-up case of an http page referencing questionable-SSL content (e.g. a planet.m.o post which links to a broken-SSL-image-store), it obviously matters less - with the root page being unsecured, all the content can be altered anyhow - neither dropping nor preserving questionable content seems clearly advantageous.
+My initial reaction here would be to treat it like other mixed content, which is to say that if we can't verify it at least as far as a valid, signed, non-expired cert, it doesn't belong on a secure page.  In the strange-but-brought-up case of an http page referencing questionable-SSL content (e.g. a planet.m.o post which links to a broken-SSL image store), it obviously matters less - with the root page being unsecured, all the content can be altered anyhow - neither dropping nor preserving questionable content seems clearly advantageous.
 == Other Applications ==