> Browsers really have to be a lot more skeptical about the code they run.
I absolutely believe you, and wrote a document how to make improvement.
> Code from non-TLS pages should not be able to run at all.
Whether or not it is TLS is irrelevant. Either way the user may wish to put their own code, and either way the server operator can change things whether or not is what the user intends. (TLS does prevent spies from adding code, but not all unwanted code is from spies.)
> Instead of locking the web down, let's give users the freedom to put on or remove as many locks as they want to live with.
I agree. Furthermore, allow the user to override any behaviour they want to do, too.
Allow the user to examine and copy the script (possibly with modifications); if the script changes (whether due to MITM or due to the author altering it or due to some other company purchasing them), it no longer runs unless the user approves the new one, too. Extensions that only allow free software to run don't help either; just because it is free software does not necessarily mean it is a program the user wants their computer to execute. Or, maybe the user wants to execute a modified version instead!
I absolutely believe you, and wrote a document how to make improvement.
> Code from non-TLS pages should not be able to run at all.
Whether or not it is TLS is irrelevant. Either way the user may wish to put their own code, and either way the server operator can change things whether or not is what the user intends. (TLS does prevent spies from adding code, but not all unwanted code is from spies.)
> Instead of locking the web down, let's give users the freedom to put on or remove as many locks as they want to live with.
I agree. Furthermore, allow the user to override any behaviour they want to do, too.
Allow the user to examine and copy the script (possibly with modifications); if the script changes (whether due to MITM or due to the author altering it or due to some other company purchasing them), it no longer runs unless the user approves the new one, too. Extensions that only allow free software to run don't help either; just because it is free software does not necessarily mean it is a program the user wants their computer to execute. Or, maybe the user wants to execute a modified version instead!