[Webcom] Webcom Digest, Vol 88, Issue 5
Mark Johnson
mjohnson at ncbi.nlm.nih.gov
Fri Jul 29 12:08:04 PDT 2016
I can take a shot at explaining. It's not that anyone necessarily cares
that someone is looking
at map tiles. But pages served over https aren't allowed to load active
content over http. The reason is,
a Bad Guy can figure out a way (by infecting your browser, for example)
of injecting code that
loads stuff from his server. And/or *pushes* stuff to his server. Like
whatever else is on that
page that is showing the map tiles. If the URL that loads the map tiles
is https, well, "Too, bad, Bad Guy,
it's encrypted--go spy on someone else." But if it's plain old http...
Bad Guy wins. Mwa ha ha.
So that's why browsers don't allow active mixed content on https-loaded
pages, even for innocuous
stuff.
By the way, US government sites, and other secure sites, are going to be
implementing something called HSTS
(google it), which tells the browser "from now on, only ever speak https
to this domain". So even
if the page source says http://osgeo.org/.../foo.js, the browser will
automatically ask for https://osgeo.org/...
instead. If the certs on your server are bad, though, the browser will
refuse to load. So for some
sites, https will make osgeo resources broken.
--Mark Johnson
More information about the Webcom
mailing list