[Webcom] Webcom Digest, Vol 88, Issue 5

Christian Willmes c.willmes at uni-koeln.de
Sat Jul 30 07:05:44 PDT 2016

Thanks. That helps understanding. Fair point...

On 29.07.2016 21:08, Mark Johnson wrote:
> I can take a shot at explaining. It's not that anyone necessarily cares
> that someone is looking
> at map tiles. But pages served over https aren't allowed to load active
> content over http. The reason is,
> a Bad Guy can figure out a way (by infecting your browser, for example)
> of injecting code that
> loads stuff from his server. And/or *pushes* stuff to his server. Like
> whatever else is on that
> page that is showing the map tiles. If the URL that loads the map tiles
> is https, well, "Too, bad, Bad Guy,
> it's encrypted--go spy on someone else." But if it's plain old http...
> Bad Guy wins. Mwa ha ha.
> So that's why browsers don't allow active mixed content on https-loaded
> pages, even for innocuous
> stuff.
> By the way, US government sites, and other secure sites, are going to be
> implementing something called HSTS
> (google it), which tells the browser "from now on, only ever speak https
> to this domain". So even
> if the page source says http://osgeo.org/.../foo.js, the browser will
> automatically ask for https://osgeo.org/...
> instead. If the certs on your server are bad, though, the browser will
> refuse to load. So for some
> sites, https will make osgeo resources broken.
> --Mark Johnson
> _______________________________________________
> Webcom mailing list
> Webcom at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/webcom

More information about the Webcom mailing list