W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Jim Manico <jim.manico@owasp.org>
Date: Fri, 2 Jan 2015 11:21:22 -1000
Message-ID: <6224839210151045073@unknownmsgid>
To: Brad Hill <hillbrad@gmail.com>
Cc: Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Regarding:

<script src=http://example.com/scripts/doStuff.js>
that link can ALWAYS be changed to:
<script src=https://example.com/scripts/doStuff.js>
and nothing will break

This does not seem true to me, Brad. If my script has hard-coded HTTP links
for resource retrieval and I disable HTTP or redirect to HTTPS in certain
ways, those scripts will sometimes break. I ran into this •last week•.

Never doubt the power of a crazy developer. :)

Respectfully,
--
Jim Manico
@Manicode
(808) 652-3805

On Jan 2, 2015, at 11:16 AM, Brad Hill <hillbrad@gmail.com> wrote:

<script src=http://example.com/scripts/doStuff.js>

that link can ALWAYS be changed to:

<script src=https://example.com/scripts/doStuff.js>

and nothing will b
Received on Friday, 2 January 2015 21:21:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC