On Mon, Sep 8, 2008 at 2:33 PM, Brion Vibber <brion(a)wikimedia.org> wrote:
Note that while loading of images over HTTP may reveal
viewed pages (via
referers, just like clicking on an external link will) it won't reveal
passwords or session cookies.
According to RFC 2616 (section 15.1.3), it SHOULD NOT reveal Referers
either, and AFAIK browsers do implement that. However, you could
still probably work out what pages the person is viewing by just
looking at which images are being loaded, in many cases.
On Mon, Sep 8, 2008 at 3:04 PM, Gregory Maxwell <gmaxwell(a)gmail.com> wrote:
On this subject, as part of the IPv6 testing I've
run a JS tester on
ENWP for a couple of months now which has determined that for hosts
able to run the JS tester, protocol relative urls (i.e. <img
src="//upload.wikimedia.org/foo.jpg"/>) work for all clients.
If protocol relatives turn out to be universally supported they would
remove one problem from doing a native SSL deployment.
Why would one suspect that they're not universally supported?