On Tue, Nov 2, 2010 at 1:09 AM, bawolff <bawolff+wn(a)gmail.com> wrote:
May I ask how? If you're logged in to the secure
server, then the
cookies won't get transmitted to the unsecure server when loading js
from them. At the very worse (if we really put on our tin foil hats) I
suppose someone could intercept the non-secured js script, do a man in
the middle type thing and replace the script with malicious js.
However if someone actually has the ability to do that, they could
already do that with the geoip lookup. Thus I don't see how doing the
importScriptURI reduces security.
Firefox and IE will whine that the site attempts
to load unsecure
resources. Also, it is indeed possible to transmit cookies; it's
enough that the user has also logged in into the unsecure servers in
the past and is e.g. at a public WiFi hotspot now and so uses the
secure gateway.
Marco
--
VMSoft GbR
Nabburger Str. 15
81737 München
Geschäftsführer: Marco Schuster, Volker Hemmert
http://vmsoft-gbr.de