Hi, Rob Heittman wrote: > You'd have to change the CSS to also reference the images, etc. over > https. The warning you describe will be triggered whenever you have an > HTML page, delivered over https, that calls images, CSS, or javascript > from another source, delivered over http. This isn't a Restlet thing > ... it applies to any SSL Web server.
Yes, I agree. Although it's possible to turn off this warning in Firefox I'd suggest to keep it on. In terms of site design, it's bad practice to mix HTTPS and plain HTTP content. I've recently found a security issue with a service we use (I believe the vendor is investigating the matter). Access to the whole site was supposed to be secure because it was served over HTTPS. However, one of the web pages was loading a JavaScript document, which was linking another JavaScript document, this time in plain HTTP. (Surprisingly enough, this second link was a plain HTTP URL only if "Mac" was in the user-agent header!) Even if this last request failed with a 404 status code (the document being actually only served over HTTPS), the request was made over plain HTTP and contained the authenticated session cookie. Therefore, someone intercepting that request would be able to hijack the session. I haven't looked at how IE behaves with mixed content, but the downside of Firefox warnings is that they are just warnings (you can't cancel the request: you can only realise it's too late). > However, one neat Restlet thing that does help, is the Redirector > feature. This is a bit advanced, but you can use the Redirector on your > local web service to proxy these requests to the other server; this can > be used to avoid such warnings and single-source issues, at the expense > of some overhead in your web service and a responsibility to manage the > security appropriately. +1 Best wishes, Bruno. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1499674
