Gervase Markham schrieb: > Nils Maier wrote: >> Disallowing those "corrupt LF" request is in fact what I wouldn't like >> to see. > > When they get a "link fingerprint check failed" error, how is a user to > tell the difference between "Oh, the webmaster screwed up" and "Someone > has trojaned this download"? > > Hard fail is the right way to go. >
Why would a trojan writer want to produce a corrupt LF link? I was talking about links here, not downloads ;) >> What if a webmaster somehow got the LF wrong? The user would get >> punished for it. > > The webmaster should have tested the link! Same as above. Furthermore: shit happens, and considering all those pages that are still IE only it's likely to happen more often than one might guess at this point. A corrupt LF link just means that there is no way to verify said download. >> Even SSL will let you continue if there is something wrong like >> non-matching hostnames; and SSL provides reliable security. > > We are changing this. This gets off-topic, but: Honestly? I fairly doubt it unless mozilla/FX want to loose a huge chunk of users. Do I need to switch over to IE just to load one of those damn common self-signed-to-localhost-certs "protected" sites? >> So I still am in favor of implementing LF within the actual consumers, >> as only they know how to handle stuff correctly, as only they got the >> full stream. > > I agree. > > Gerv Nils _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
