- From: Jim Manico <jim.manico@owasp.org>
- Date: Fri, 02 Jan 2015 12:17:03 -1000
- To: public-webappsec@w3.org, brad Hill <hillbrad@gmail.com>, timbl@w3.org
- Message-ID: <54A718DF.3000602@owasp.org>
Tim, I missed something in my response. Brad said that if you start from a HTTP page, /*and change nothing but loading one script internally from http to https*/, nothing can break. Brad was explicitly NOT talking about upgrading the document to HTTPS, only the link from which the script in retrieved, which is what your proposed requirement referenced. So indeed, Brads comments still stand. Thank you, Jim PS: I meant _*Sir*__*Berners-Lee*_, I forgot you were knighted by the queen. :) *** From: Jim Manico <jim.manico@owasp.org> Date: Fri, 2 Jan 2015 11:21:22 -1000 Message-ID: <6224839210151045073@unknownmsgid> To: Brad Hill <hillbrad@gmail.com> Cc: Tim Berners-Lee <timbl@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org> Regarding: <script src=http://example.com/scripts/doStuff.js> that link can ALWAYS be changed to: <script src=https://example.com/scripts/doStuff.js> and nothing will break This does not seem true to me, Brad. If my script has hard-coded HTTP links for resource retrieval and I disable HTTP or redirect to HTTPS in certain ways, those scripts will sometimes break. I ran into this •last week•. Never doubt the power of a crazy developer. :) Respectfully, -- Jim Manico @Manicode (808) 652-3805 On Jan 2, 2015, at 11:16 AM, Brad Hill <hillbrad@gmail.com> wrote: <script src=http://example.com/scripts/doStuff.js> that link can ALWAYS be changed to: <script src=https://example.com/scripts/doStuff.js> and nothing will b
Received on Friday, 2 January 2015 22:17:37 UTC