Monthly Archives: March 2014

Javascript security

the state of Mixed Mode

browsersecurity
When a browser grabs a webpage over HTTPS, *nobody* (aside from revelations that governments can see our SSL traffic) can see what’s happening between your browser and the target webserver.  You are protected against the prying eyes of an evil network admin, proxy admin or even government.

Modern websites often import JavaScripts files from multiple sources, to have extra functionality (Facebook’s like button, widgets) or entire frameworks such as JQuery or YUI.  If these JavaScript resources are loaded form a non-SSL location, we refer to this usually as Mixed Content mode.  I did some research to find out how browsers handle these things; both on desktops as well as mobiles.

Please run the tests on https://bloat.io/mm/, it looks *very* rudimentary, but I am gathering some information from different browsers.  Let the page load for a few seconds, and everything gets logged in a database.  As a “visual”, the more “warning icons” you see, the more vulnerable your browser is.

Don’t worry, it won’t try to exploit anything or crash.