aboutsummaryrefslogtreecommitdiffstats
path: root/README.txt
diff options
context:
space:
mode:
Diffstat (limited to 'README.txt')
-rw-r--r--README.txt25
1 files changed, 25 insertions, 0 deletions
diff --git a/README.txt b/README.txt
new file mode 100644
index 0000000..9450028
--- /dev/null
+++ b/README.txt
@@ -0,0 +1,25 @@
+=============================
+= secure.js =
+= =
+= by zx2c4 =
+= Jason Donenfeld =
+= Jason@zx2c4.com =
+=============================
+
+Sometimes you want to provide a javascript service to somebody,
+but you only want it to run in an HTTPS context, because the
+information that your script will help gather from the page is
+somewhat sensitive.
+
+One way of enforcing HTTPS is to check that location.protocol is
+"https:", but this is extremely limited becuase it does not
+account for the possibility that your script may be included
+along side other scripts from other servers that are not loaded
+over HTTPS. When this happens, the security of your site is
+defeated, and man-in-the-middle attacks become practical.
+
+secure.js solves this issue by monitoring the DOM for changes and
+continiously checking whether or not any external resources have
+been added that are non-HTTPS.
+
+Suggestions and improvements are welcome.
Copyright © 1996 – 2026 Jason A. Donenfeld. All Rights Reverse Engineered.