On Mon, Sep 8, 2008 at 2:33 PM, Brion Vibber <brion(a)wikimedia.org> wrote:
Interestingly, Firefox at least doesn't seem to
care about the images
being loaded from an insecure server.
It *will* whinge about JavaScript being loaded that way, however.
Note that while loading of images over HTTP may reveal viewed pages (via
referers, just like clicking on an external link will) it won't reveal
passwords or session cookies.
On this subject, as part of the IPv6 testing I've run a JS tester on
ENWP for a couple of months now which has determined that for hosts
able to run the JS tester, protocol relative urls (i.e. <img
src="//upload.wikimedia.org/foo.jpg"/>) work for all clients.
If protocol relatives turn out to be universally supported they would
remove one problem from doing a native SSL deployment.
I can't comment on compatibility with clients that do not support
javascript / don't execute the v6 test for some other reason.