Quote:
Originally Posted by NullNix
Mixed content is an actual security risk: it's not called insecure for nothing. This is not "arrogance", it's only common sense -- if you're transferring a webpage via an encrypted channel (SSL/TLS), that page shouldn't be calling on unencrypted resources as part of the page load, because third parties can spy on your (unencrypted) requests for those resources in transit. This can and does leak state associated with the encrypted page!
There's a *reason* browsers are increasingly banning this. Amazon is at fault for using it -- if it is: I've just tried a download from amazon.co.uk's Manage Your Kindle page and it worked fine with mixed content blocked. Maybe this is yet another thing that varies by country.
|
No, it's stupid and arrogant. There is a longer answer. The big issue is the javascript in 3rd party adverts, even ones brokered by Google. Not a Javascript that does the download. And Chrome doesn't block 3rd party malware laced javascript adverts. They even want to prevent you doing that.
Also if you use a public WiFi point the HTTPS can be spied on. The main issue needing HTTPS is logins and form filling, not downloads.
Which actually shouldn't be using javascript at all, but it's not Google's job to decide how the Internet works. Even if some of it makes sense.