-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aryeh Gregor wrote:
On Sat, Sep 6, 2008 at 10:02 PM, Oldak Quill
<oldakquill(a)gmail.com> wrote:
Perhaps we should add a red banner to the top of
every page accessed
through the secure gateway that images are not secure.
Browsers will typically inform the user that some parts of the page
are not secured, and should include visual cues too (like not
presenting a padlock icon in the URL bar).
Interestingly, Firefox at least doesn't seem to care about the images
being loaded from an insecure server.
It *will* whinge about JavaScript being loaded that way, however.
Note that while loading of images over HTTP may reveal viewed pages (via
referers, just like clicking on an external link will) it won't reveal
passwords or session cookies.
- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkjFb/QACgkQwRnhpk1wk44jZwCguBoJ/fwPeBg8ZR3XlftKrXS9
lMEAoN9WLNNg246by+7FV55hksLQm0Nx
=FBsh
-----END PGP SIGNATURE-----