> On Thu, 24 Mar 2016, Kevin Chadwick <m8il1i...@gmail.com> wrote: > > BTW, only allowing Javascript to come from the primary domain over SSL > > would be a far saner idea, but lets see you get that past Google, > > facebook and all the other tracking sites? > > It's possible with content security policy[1][2], but completely > optional and up to the webmaster (custom header sent by the server). > Google etc are actually pushing for it. > > [1]: https://en.wikipedia.org/wiki/Content_Security_Policy > [2]: https://developer.mozilla.org/en-US/docs/Web/Security/CSP
Please, you think that says anything about Google, it doesn't even say anything about a few Google developers? Google generally works in teams of four by the way apparently. Yes I have that enabled on my sites as there is NO javascript at all but that is next to useless as my sites aren't problem sites. The noscript extension for firefox appears to increase firefox's startup use of memory by more than the xombrero browser uses on startup! Here's a question or two. Why can you not clear any content on browser shutdown on chrome but can in comodos version called chromodo. Why are the chrome javascript controls next to useless and hitting enable has no effect on video sites that try to ensure adverts have been run? I could throw in why google are adverse to firewalls but that would open up more trolling. I have nothing against Google btw but some of their software design decisions are as bad as Apples engineering. Anyway, non of this has anything to do with OpenBSD as I doubt libressl and it's CA ability would be the chosen solution to any OpenBSD security problems when there is OpenSSH available and many of the developers meet regularly enough. So I assume the developers would agree that it would be good if https everywhere nonsense wasn't brought up on this list again please. -- KISSIS - Keep It Simple So It's Securable
