Hacker News new | comments | ask | show | jobs | submit login


You should NEVER load javascript over https on a page that was served over http.

It gives a false sense of security that doesn't exist.

Because the source page was served over http, the source page can be modified by an attacker, making the script be loaded under ssl makes you think its protected. But its not since an attacker could just modify the script tag to remove the https bit in transit then modify the script thats now being loaded over http.

In sort, forcing the script to use https gives you no gain when the page that includes it is served over http and it tricks you into thinking that javascript asset is secure.

Who does this affect? The attacker can always modify the page however they want anyways and the https for the js source would mean the js itself cannot be tampered with

Does it help much? No. Should you use it? Yes.

Who is being tricked? I don't suspect the user is checking the script tags to see if they are secure. At the very least, this might stop basic ISP tampering used to inject bandwidth warnings, etc.

The programmer that put the script tag in there.

Or just stop using HTTP like a normal person. Who still has pages served over anything hit HTTPS?

     Who still has pages served over anything hit HTTPS?
Someone who wants to explore our emerging financial liability as we grow increasingly compelled by law to actively protect data in transit (that's SSL), at rest, and in distribution.

     Penalties for violations can be huge, as much as 20 
     million euros or 4% of the company's annual turnover.

No browsers present that to users as a secure context, so nobody is being tricked.

More HTTPS == Better. If you can load this over HTTPS you should, no matter what circumstance. The browsers iconography will handle notifying people when the context is secure or not.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact