1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues


Issue #834 resolved

HTTPS security compromised by insecure script download

Marti R.
created an issue

Even when accessing Bitbucket over a secure HTTPS connection, a JavaScript file is downloaded insecurely:


The attacker (a middleman) can just append malicious code to this script to, for instance, rig the login box and leak the password.

//(Also note: browsers only display "secure site" icons only if all elements of a page are downloaded securely.

//Images from media-cdn.bitbucket.org and www.gravatar.com are download insecurely; it's considered a good security practice to download all elements through secured connections as well, though I can't see an obvious attack scenario here. I do realize that Gravatar can't be secured easily.)

Comments (1)

  1. Log in to comment