[dingnuts]

the SITE can do that when HTTPS is used, yes, but an unauthorized third party can inject stuff much more easily when it's plain HTTP. A little ARP poisoning and some mitmproxy and before you know it you're injecting malware or whatever

Whether or not that matters when viewing this particular site is up for debate

[lxgr]

Yes – into the sandbox of this particular site (and limited to non-HTTPS-mandatory browser APIs at that).

If that's a big threat vector, I feel like the much bigger risk would be visiting malicious sites, not a local or ISP located attacker injecting stuff into benevolent-but-HTTP-only ones.

[ndsipa_pomu]

> limited to non-HTTPS-mandatory browser APIs at that

Another trick that could easily be pulled by a malicious ISP/wifi provider is to insert a redirect into the HTTP page to go to an HTTPS site controlled by the attacker (presumably with some semi-related name so as to not seem suspicious to the user) and to then bypass non-HTTPS restrictions in the browser.