Great link on AngularJS injection. Unfortunately the code shown is also an example of the kind of thing that makes me less-than enthusiastic about a lot of the blogs I see on web apps. Right at the top (of the code) we have:
When https would have worked just fine. Instead, because it's referenced with http, we're basically saying - insert some random code in our page, if there's anyone that can spoof packets.
It's like Microsoft Office Macros all over again -- only much worse.
Later he calls the github api over https -- but (and this is a genuine question, I don't know) -- what would happen if github redirected from https to http? Would it fail, or would we get random insecure data import?:
(Now, redirecting to http would obviously be, well, bad form at least -- but conceivable to stave off slashdotting by an overworked sysadmin, perhaps?).
e12e|12 years ago
It's like Microsoft Office Macros all over again -- only much worse.
Later he calls the github api over https -- but (and this is a genuine question, I don't know) -- what would happen if github redirected from https to http? Would it fail, or would we get random insecure data import?:
(Now, redirecting to http would obviously be, well, bad form at least -- but conceivable to stave off slashdotting by an overworked sysadmin, perhaps?).