On Mon, Sep 8, 2008 at 2:33 PM, Brion Vibber brion@wikimedia.org wrote:
Interestingly, Firefox at least doesn't seem to care about the images being loaded from an insecure server.
It *will* whinge about JavaScript being loaded that way, however.
Note that while loading of images over HTTP may reveal viewed pages (via referers, just like clicking on an external link will) it won't reveal passwords or session cookies.
On this subject, as part of the IPv6 testing I've run a JS tester on ENWP for a couple of months now which has determined that for hosts able to run the JS tester, protocol relative urls (i.e. <img src="//upload.wikimedia.org/foo.jpg"/>) work for all clients.
If protocol relatives turn out to be universally supported they would remove one problem from doing a native SSL deployment.
I can't comment on compatibility with clients that do not support javascript / don't execute the v6 test for some other reason.