Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Jim Manico on 2015-01-02 (public-webappsec@w3.org from January 2015)

From: Jim Manico <jim.manico@owasp.org>
Date: Fri, 2 Jan 2015 11:21:22 -1000
To: Brad Hill <hillbrad@gmail.com>
Cc: Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <6224839210151045073@unknownmsgid>

Regarding:

<script src=http://example.com/scripts/doStuff.js>
that link can ALWAYS be changed to:
<script src=https://example.com/scripts/doStuff.js>
and nothing will break

This does not seem true to me, Brad. If my script has hard-coded HTTP links
for resource retrieval and I disable HTTP or redirect to HTTPS in certain
ways, those scripts will sometimes break. I ran into this •last week•.

Never doubt the power of a crazy developer. :)

Respectfully,
--
Jim Manico
@Manicode
(808) 652-3805

On Jan 2, 2015, at 11:16 AM, Brad Hill <hillbrad@gmail.com> wrote:

<script src=http://example.com/scripts/doStuff.js>

that link can ALWAYS be changed to:

<script src=https://example.com/scripts/doStuff.js>

and nothing will b

Received on Friday, 2 January 2015 21:21:52 UTC