> In summary, any http hit on an insecure network is dangerous on all > browsers. > (FWIW, Chromium resolves this for me. When I type mail<enter> into the > omnibar, it auto-completes to https://mail.google.com/) > > Actually, I see this as a legitimate gap. HTTP links don't cache-mix with HTTPS links, and cookies can have server-side integrity checking to prevent HTTP pollution (lets not talk about the secure tag for cookies), but if it is indeed the case that there is no way to have a HTTPS-exclusive Application Cache, then that is a feature killing bug that's been legitimately called out.
--Dan
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/