Initial commit.HEADmaster

1 files changed, 25 insertions, 0 deletions

diff --git a/README.txt b/README.txt
new file mode 100644
index 0000000..9450028
--- /dev/null
+++ b/README.txt
@@ -0,0 +1,25 @@
+=============================
+=          secure.js        =
+=                           =
+=          by zx2c4         =
+=       Jason Donenfeld     =
+=       Jason@zx2c4.com     =
+=============================
+
+Sometimes you want to provide a javascript service to somebody,
+but you only want it to run in an HTTPS context, because the
+information that your script will help gather from the page is
+somewhat sensitive.
+
+One way of enforcing HTTPS is to check that location.protocol is
+"https:", but this is extremely limited becuase it does not
+account for the possibility that your script may be included
+along side other scripts from other servers that are not loaded
+over HTTPS. When this happens, the security of your site is
+defeated, and man-in-the-middle attacks become practical.
+
+secure.js solves this issue by monitoring the DOM for changes and
+continiously checking whether or not any external resources have
+been added that are non-HTTPS.
+
+Suggestions and improvements are welcome.