============================= = secure.js = = = = by zx2c4 = = Jason Donenfeld = = Jason@zx2c4.com = ============================= Sometimes you want to provide a javascript service to somebody, but you only want it to run in an HTTPS context, because the information that your script will help gather from the page is somewhat sensitive. One way of enforcing HTTPS is to check that location.protocol is "https:", but this is extremely limited becuase it does not account for the possibility that your script may be included along side other scripts from other servers that are not loaded over HTTPS. When this happens, the security of your site is defeated, and man-in-the-middle attacks become practical. secure.js solves this issue by monitoring the DOM for changes and continiously checking whether or not any external resources have been added that are non-HTTPS. Suggestions and improvements are welcome.