Just stumbled across this project and I find it very interesting.
However, i noticed that in the project home, all examples load the JS file
using plain HTTP.
It's true that one using this library probably can figure out by himself, but I
believe it would be wise to update those examples to use HTTPS instead
(googlecode is also available under HTTPS) and perhaps add a recommendation to
use HTTPS on *all* components of a security-sensitive web application (at least
all components that may contain javascript, like html and js files).
The reason is quite simple: plain HTTP is subject to man-in-the-middle attacks,
so an attacker could easily inject malitious code into the client's browser
(say, pretending he is code.google.com) and grab the sensitive information.
Original issue reported on code.google.com by davide.k...@gmail.com on 22 Feb 2015 at 10:06
Original issue reported on code.google.com by
davide.k...@gmail.com
on 22 Feb 2015 at 10:06