Including jquery.js from googleapis makes site possibly vulnerable to man-in-the-middle attacks when used with SSL

[GoogleCodeExporter]

What steps will reproduce the problem?
    Install zotonic behind an SSL proxy, like apache.

What is the expected output? What do you see instead?
    Because the jquery javascript is included from a google http (not https) URL, a maliscious man-in-the-middle attacker can inject arbitrary javascript code on the website, even if the website itself is served via SSL.

What version of the product are you using? On what operating system?
    0.5.0, OS independent issue

Proposed fix
    Do not fetch the jquery javascript files from google apis, but from the same URL the zotonic site is served from. This also resolves some privacy issues, because google does not see every request made to a zotonic site ;-)

Original issue reported on code.google.com by hcespe...@googlemail.com on 13 Oct 2010 at 10:49

[GoogleCodeExporter]

I think the better fix might be to use the protocol of the current page when 
fetching files from external uris. Like the way Google includes the Analytics 
files.

Original comment by ma...@pobox.com on 13 Oct 2010 at 10:57

[GoogleCodeExporter]

Original comment by ma...@pobox.com on 13 Oct 2010 at 5:47

• Added labels: Milestone-Release0.6, Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

since revision 02c0e4e3974b (release 0.6), jQuery and jQuery UI are included 
with Zotonic.

Original comment by scherpenisse on 11 Feb 2011 at 8:26

• Changed state: Fixed