> You can try an Ajax request or loading a picture over SSL and then redirect with JS if it doesn't fail.
Neat idea, but wouldn't this still be exposed to ISP-level attacks? Since the user is still loading the page initially in plain HTTP, so the ISP could still inject code, remove the JS redirect, etc.
Yes, no redirect can protect the user from that. In fact, not even completely disabling HTTP can - the ISP can respond on port 80 anyway. But it can protect them if they open it on a safe connection and then bookmark the page, or keep the tab open, or send the link to someone else, and then use that link on an unsafe connection.
> There is no formal definition on what constitutes a "surgical stainless steel", so product manufacturers and distributors apply the term to refer to any grade of corrosion resistant steel.
A bit misleading. The maintainers have been working on large experimental features like a self-hosted "signaling server" which helps sync notes without storing any note data on it, and without relying on third-party hosting like Dropbox [1].
Also if you look at the dev branch [2], they have been making sweeping changes to the codebase; most recently it appears they have been removing "old" JavaScript libraries like Bower, presumably to move everything to an NPM setup.
Firefox Test Pilot [1] is a more recent approach to testing new UI in Firefox. It's entirely extension based. I think this is a smart approach because it lets Mozilla quickly test new UI features without building it into the core browser before it's been vetted.
However its full potential is not ready yet, since Firefox has been migrating to WebExtensions, and this has not fully stabilized yet. Long term I think the WebExtensions move also makes sense, since it gives extension authors a stable API to work with, instead of XUL which can break with each Firefox update. And the architecture makes it easier to optimize threading performance and some form of security sandboxing.
So the point is, I think more UI experimentation is on Firefox's horizon, but they have to first stabilize the technical architecture before they can go full throttle on that.
Couldn't find anything in the literature - they probably don't, or perhaps it's such an obvious requirement that it's not even mentioned. Given that driving culture and etiquette are very different in every country, I'd guess a system trained for US roads, traffic rules and social behaviors does not generalize as well for Russian or Chinese or any other country's roads.
Neat idea, but wouldn't this still be exposed to ISP-level attacks? Since the user is still loading the page initially in plain HTTP, so the ISP could still inject code, remove the JS redirect, etc.