4. I would like clarity on how existing Mozilla/Firefox/Thunderbird/etc. implementations may interact with such a policy. (For example, I think you previously alluded to Mozilla implicity trusting JavaScript in some context if it were downloaded from an SSL-enabled site.) I am reluctant to implement a policy if the code itself negates its intent.
This example was based, AFAIAA, on a misunderstanding - Mozilla does not treat JS served over HTTPS in any significantly different way to JS served over HTTP.
Gerv _______________________________________________ mozilla-crypto mailing list mozilla-crypto@mozilla.org http://mail.mozilla.org/listinfo/mozilla-crypto