Krinkle
commented
3 years ago We choose not to perform forceful redirects from HTTP for back-compatibility. As a widely used CDN, these can cause issues for some users where HTTPS is not an option, where it is intentionally not used, or where redirects may cause failures.
We have seen more than once in large projects that while in theory all HTTP clients should be able to follow redirects, there are plenty of proxies and crawler scripts that will naively download a URL and use the response. I've more than once found that a deployment pipeline, build script, or production workload stopped working because a URL became redirect. At this point, it does not seem to benefit anyone if we deny HTTP serving and/or force redirects.
We have been promoting use of SRI hashes in
<script>tags for many years, which can be seen by clicking on any resource at https://code.jquery.com/ (uses JavaScript). In supported browsers, when using SRI, it thus is already validated that the expected content is served and cannot be modified or otherwise hijacked.See also https://jcs.org/2021/01/06/plaintext for background on HTTP access.
However, enabling HSTS and adding ourselves to the preload list makes perfect sense. This will be worked on at https://github.com/jquery/codeorigin.jquery.com/issues/63.
jcubic
I'm not sure if this is the right place to report this, but:
http://code.jquery.com/
don't redirect to https and links are just paths so they are also http (so if you use copy link in context menu you will get http link).
Maybe everything should be redirected to https including the file links.