Sample page: the newegg.com checkout using payment method Visa Checkout. An iframe opens from a subdomain of visa.com with its own certificate distinct from the certificate of the parent newegg page. Right clicking and clicking frame info for the iframe does not show a Security subtab as per Bug 149207. Nor does the Info dialog for the parent page allow the certificate of the iframe to be viewed. Certificate viewer or the Security tab can easily avoid misleading users by causing a message to be displayed that "This page may be insecure because it uses multiple certificates." FF is already potentially misleading users into thinking that their iframe input is being sent to the domain of the parent page, because the Security tab does not show the second Certificate. Cross scripting concerns aside, FF users deserve to know whether they are actually using certificates from the merchant and the card network and also whether they are using any other certificates.
Severity: major → enhancement
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.