Hi,

Rob Heittman wrote:
> You'd have to change the CSS to also reference the images, etc. over 
> https.  The warning you describe will be triggered whenever you have an 
> HTML page, delivered over https, that calls images, CSS, or javascript 
> from another source, delivered over http.  This isn't a Restlet thing 
> ... it applies to any SSL Web server.

Yes, I agree. Although it's possible to turn off this warning in Firefox 
I'd suggest to keep it on.

In terms of site design, it's bad practice to mix HTTPS and plain HTTP 
content.

I've recently found a security issue with a service we use (I believe 
the vendor is investigating the matter). Access to the whole site was 
supposed to be secure because it was served over HTTPS. However, one of 
the web pages was loading a JavaScript document, which was linking 
another JavaScript document, this time in plain HTTP. (Surprisingly 
enough, this second link was a plain HTTP URL only if "Mac" was in the 
user-agent header!)
Even if this last request failed with a 404 status code (the document 
being actually only served over HTTPS), the request was made over plain 
HTTP and contained the authenticated session cookie. Therefore, someone 
intercepting that request would be able to hijack the session.

I haven't looked at how IE behaves with mixed content, but the downside 
of Firefox warnings is that they are just warnings (you can't cancel the 
request: you can only realise it's too late).


> However, one neat Restlet thing that does help, is the Redirector 
> feature.  This is a bit advanced, but you can use the Redirector on your 
> local web service to proxy these requests to the other server; this can 
> be used to avoid such warnings and single-source issues, at the expense 
> of some overhead in your web service and a responsibility to manage the 
> security appropriately.

+1


Best wishes,

Bruno.

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=1499674

Reply via email to