Self-signed, expired, invalid and mixed-content SSL certificates at middle security

when I access a site, with a self-signed, expired and invalid, I can add it to exceptions, (or not; go back) when I add, this potentially harmful domain can use JavaScript (because its use HTTPS; assuming we are using middle slider).

should have a mechanism to forbidden those exceptions and mixed-content to use JavaScript, because they can be harmful for user, especially assuming the users don't make any know about the risks.

the options (in my view):

  1. force HTTPS untrusted to use HTTP by default.

  2. add a script or whatever, to disarm JavaScript on those sites (when using mid security).

  3. a very informative and scarry warning on it.

Trac:
Username: i139

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information