tag:blogger.com,1999:blog-22643768.post4163779524421088778..comments2023-11-02T07:59:45.949-04:00Comments on Jun Meng's blog: That so-called security feature is still in IE 7 ?!Unknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-22643768.post-47310415405621956682007-01-12T10:18:00.000-05:002007-01-12T10:18:00.000-05:00The problem is you can embed normal HTTP "link" in...The problem is you can embed normal HTTP "link" in the page without that warning. Only when the page has HTTP "content", does that warning appear.<br /><br />For Cross Site Scripting Attack, the warning will not be shown because the page will only include HTTP "link" to attacker's site, not "content" from attacker's site.<br /><br />For example: There is no warning for <a href="http://somesite.com">. But you will see the warning when the page has <script src="http://somesite.com/script.js"> because the script "content" is downloaded as part of the page.Jun Menghttps://www.blogger.com/profile/15324717216888733477noreply@blogger.comtag:blogger.com,1999:blog-22643768.post-42952665802925669122007-01-11T23:18:00.000-05:002007-01-11T23:18:00.000-05:00I think the reason MS added this feature is to ale...I think the reason MS added this feature is to alert the user that some unprotected resource is linked to the supposedly secure page.<br /><br />I hear your point about images, Google maps etc, but imagine that the author had linked to a web service (JSON) or some service that collects data from the page (AJAX). Wouldn't you want to know that as a user before submitting your credit card or SSN?<br /><br />Generally, secure sites for transactional purposes are secured for the entire domain (secure.domain.com), so images, CSS, script etc is covered under HTTPS. It's only when SSL is used for other purposes where mixed content is present (blogs, community sites where users add links to remote sites) that this problem arises.<br /><br />You may have heard of "cross-site-script-infection". This is a good example why this warning dialog is required. If a malicious site installs naughty script in a parallel open page, and this script sends critical data out to the a hacker web site, then the user should know about it.Anonymousnoreply@blogger.com