Which leads me to the second thing I wanted to mention: I made it clear in that original thread, and it behoves repeating,
web-based wallets are not "safe". Where a local wallet has a set of security risks (eg. a deviant local process can hijack your transactions as they are being built and redirect the funds) web wallets open up an additional class of security risks: trusting code that is delivered live, and passes through multiple points on the Internet. Using MyMonero involves trusting your ISP, trusting CloudFlare, trusting the CA, trusting MyMonero, and trusting the various data providers en-route, each and every time you use the web wallet. That having been said, MyMonero represents a smaller attack surface than a Bitcoin / altcoin-based web wallet where the keys are held on the server, as MyMonero is unable to spend funds independently of the user. Thus this attack would involve serving up compromised JavaScript, which would be noticed were it done on any sort of scale.
To that end, I'd like to reiterate my original comment from our previous discussion on the security of MyMonero:
It is important to note JavaScript-based wallets are never going to be really safe, and MyMonero is no exception. I've said before that MyMonero is merely a stopgap solution until we have libraryise completed (so that third-party GUI developers can better hook into core functions) and/or we've found an SPV-style solution (our current work is on using a bloom filter for viewkeys instead of passing the raw viewkey) for lightweight wallets. In fact, the website even says quite clearly: "The clients below are ideal if you are using Monero for the first time".
One final bootnote: the view key is sent to the MyMonero server every single time, so we don't state that "no keys" are sent to the server, merely that the spend key is not. That is a factually correct statement, barring any number of circumstances outside of our control, such as a user's ISP being compromised. I hope it is unnecessary for me to qualify that statement every time I make it:)
Not only is it not as safe, but it's very arguably not as anonymous, as the user is sending their view key to the server. I assume that it's at least encrypted on its way to the server, and then discarded by the server afterwards, but this doesn't mean that there couldn't be some malicious logging going on somewhere along the chain that could link users' IP addresses to their transaction history, which could de-anonymize a good chunk of Monero transactions.
Given this projects' goals, people using it may assume that if it's Monero, its anonymity is not in question. Actually, based on your own words (in bold in the quoted material above) maybe the slogan
on the MyMonero front page very well
shouldn't be
"Send and receive Monero safely and securely, anywhere and any time", and should, instead, be a warning that makes an effort to explain to people that their view keys are being sent to the server, that they're using a JavaScript-based wallet that is never going to be safe, and that this is only a stopgap solution. That would seem to better fit the principles of this project.