I have to see warnings for weak certificates, but loading 3rd party scripts is ok by default. When browsers are written by ad companies or beholden to ad companies, this is what you get.
Apple and Firefox (if Yahoo will let them) need to step up and block 3rd party scripts by default. Maybe even Chrome would get in on it if there was special whitelisting for Google's analytics.
That would kill 90% of the web, because people love to load Bootstrap, jQuery and Google ajax crap from 3rd party CDNs. Can we just please get content-based hashing and stop with this JS outsourcing bullshit?
Content based caching would be a massive security nightmare.
All you'd need to do is serve up the same asset as any other site on the web and you could instantly know if the user has been there recently.
No need for tracking at all, just serve this up to people who go to HN, this to the redditors, this to anyone that was recently on 4chan...
Or let's take it a step further. I could reasonably figure out what your user-page on HN looks like to you when you're logged in. I'll serve that up to all my visitors and when I get a cache-hit I know it's you!
Even places that aren't loading crap from 3rd party CDNs put their bundled JS code onto their own CDN that probably has a different origin than the site you're on.
Apple and Firefox (if Yahoo will let them) need to step up and block 3rd party scripts by default. Maybe even Chrome would get in on it if there was special whitelisting for Google's analytics.