On Mon, Nov 1, 2010 at 8:09 PM, bawolff <bawolff+wn(a)gmail.com> wrote:
May I ask how? If you're logged in to the secure
server, then the
cookies won't get transmitted to the unsecure server when loading js
from them.
Unless you've logged into the insecure server at some point in the past.
At the very worse (if we really put on our tin foil
hats) I
suppose someone could intercept the non-secured js script, do a man in
the middle type thing and replace the script with malicious js.
However if someone actually has the ability to do that, they could
already do that with the geoip lookup.
True, that's a separate problem.