[HTTPS-Everywhere] Mixed Content / HTTP redirects
Chris Palmer
chris at eff.org
Sat Dec 18 11:31:58 PST 2010
On Dec 18, 2010, at 8:25 AM, Drake, Brian wrote:
> With mixed content, Internet Explorer has an option to block it or
> prompt before displaying it.
And the default is to block. :) I think they made it the default in IE 7.
If HTTPS Everywhere grew this feature, it must not add any new alert windows. If possible, it should get rid of some extraneous alerts.
I've been hypothesizing that the way to express that "secure is the new default" is to show a notification (the padlock icon for HTTPS is a "notification") for page-loads that are not 100% secure, and to show no notification when they are 100% secure.
http://www.usenix.org/event/upsec08/tech/full_papers/cranor/cranor.pdf
I could be talked off the ledge and into showing a notification for the secure state too, though. :)
I like Brian's idea, but I'm sadly too busy with other things to hack on HTTPS Everywhere. I leave this to you all to decide on. Feel free to submit a patch, Brian. :)
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
More information about the HTTPS-everywhere
mailing list