On Mon, Nov 1, 2010 at 8:09 PM, bawolff <[email protected]> wrote: > May I ask how? If you're logged in to the secure server, then the > cookies won't get transmitted to the unsecure server when loading js > from them.
Unless you've logged into the insecure server at some point in the past. > At the very worse (if we really put on our tin foil hats) I > suppose someone could intercept the non-secured js script, do a man in > the middle type thing and replace the script with malicious js. > However if someone actually has the ability to do that, they could > already do that with the geoip lookup. True, that's a separate problem. _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
