Justin Dolske wrote:
That doesn't seem all too different from a vanilla-SSL site having an
XSS hole.
Mhhh...if the site contains unencrypted content, then the browser
notices it. If the parts are served by a different site (and
certificate) there is no notice. However the issue here is
Gervase Markham wrote:
Right. But allowing this makes it possible for the identity presented to
not be the identity of the owner of the content.
Correct!
That might actually lead to the idea that we should require that all the
content comes from the same company (O field). But that
[Note that followups on this message only are set to go to
mozilla.dev.platform]
Just a note to alert folks who don't track mozilla.dev.apps.firefox
closely that there is design discussion there about UI for
content-handling dialogs interactions. This includes handing off data
to both local and
