@craigmaloney the insidious part is that it’s just flying under the “well it came from the real domain and it’s https soooo it’s good!” permission model that browsers are all built with. This just isn’t true anymore with sites that are actively letting malicious entities run scripts under their name.