On 8/2/06, Declerck Michael-W30479 <W30479@xxxxxxxxxxxx> wrote:
Under 'view page info' then 'links' I have about nine different http:// links, but most of them lead away from my site. One of links is a form submission to an intranet search database (I have to include that because of intranet standards), and the javascript for that searching function is sourced from another site on the intranet. I have a rewrite rule that transfers all http:// requests to https://, but I had all my site links changed anyway. What does the linking have to do with the partially encrypted message? And could external javascript sourcing cause a hole in the SSL encryption?
Firefox appears to be doing the right thing here. The reference to your javascript being via http:// causes the error message to be displayed, quite rightly in my opinion. Imagine that the link was included in the page not by you, but as the result of an XSS vulnerability. In that case, the javascript could easily disclose private information. -- noodl --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|