-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Aryeh Gregor wrote:
On Sat, Sep 6, 2008 at 10:02 PM, Oldak Quill oldakquill@gmail.com wrote:
Perhaps we should add a red banner to the top of every page accessed through the secure gateway that images are not secure.
Browsers will typically inform the user that some parts of the page are not secured, and should include visual cues too (like not presenting a padlock icon in the URL bar).
Interestingly, Firefox at least doesn't seem to care about the images being loaded from an insecure server.
It *will* whinge about JavaScript being loaded that way, however.
Note that while loading of images over HTTP may reveal viewed pages (via referers, just like clicking on an external link will) it won't reveal passwords or session cookies.
- -- brion