HTTPS security compromised by insecure script download

Issue #834 resolved
Marti R.
created an issue

Even when accessing Bitbucket over a secure HTTPS connection, a JavaScript file is downloaded insecurely:

The attacker (a middleman) can just append malicious code to this script to, for instance, rig the login box and leak the password.

//(Also note: browsers only display "secure site" icons only if all elements of a page are downloaded securely.

//Images from and are download insecurely; it's considered a good security practice to download all elements through secured connections as well, though I can't see an obvious attack scenario here. I do realize that Gravatar can't be secured easily.)

Comments (1)

  1. Log in to comment