On Mon, Sep 8, 2008 at 2:33 PM, Brion Vibber brion@wikimedia.org wrote:
Note that while loading of images over HTTP may reveal viewed pages (via referers, just like clicking on an external link will) it won't reveal passwords or session cookies.
According to RFC 2616 (section 15.1.3), it SHOULD NOT reveal Referers either, and AFAIK browsers do implement that. However, you could still probably work out what pages the person is viewing by just looking at which images are being loaded, in many cases.
On Mon, Sep 8, 2008 at 3:04 PM, Gregory Maxwell gmaxwell@gmail.com wrote:
On this subject, as part of the IPv6 testing I've run a JS tester on ENWP for a couple of months now which has determined that for hosts able to run the JS tester, protocol relative urls (i.e. <img src="//upload.wikimedia.org/foo.jpg"/>) work for all clients.
If protocol relatives turn out to be universally supported they would remove one problem from doing a native SSL deployment.
Why would one suspect that they're not universally supported?