[Tepix]

How do they inject stuff into HTTPS pages?

[eggsnbacon1]

Unless the site uses certificate pinning its possible to do a downgrade attack that forces browser off of HTTPS. The extension HTTPS Everywhere is a stopgap against this

[walrus01]

things that do stuff like this can't, they try whatever tricks are possible to push javascript or redirects to send the client browser to something non https, on port 80

[kzrdude]

it does say "Not secure" for the https info, so I guess they intercept the request

[disiplus]

yeah but not secure is regular http. on https they cannot do that without triggering a browser warning.