On Mon, Nov 1, 2010 at 8:09 PM, bawolff bawolff+wn@gmail.com wrote:
May I ask how? If you're logged in to the secure server, then the cookies won't get transmitted to the unsecure server when loading js from them.
Unless you've logged into the insecure server at some point in the past.
At the very worse (if we really put on our tin foil hats) I suppose someone could intercept the non-secured js script, do a man in the middle type thing and replace the script with malicious js. However if someone actually has the ability to do that, they could already do that with the geoip lookup.
True, that's a separate problem.