|
|
|
|
|
|
by lxgr
578 days ago
|
|
|
Yes – into the sandbox of this particular site (and limited to non-HTTPS-mandatory browser APIs at that). If that's a big threat vector, I feel like the much bigger risk would be visiting malicious sites, not a local or ISP located attacker injecting stuff into benevolent-but-HTTP-only ones. |
|
|
Another trick that could easily be pulled by a malicious ISP/wifi provider is to insert a redirect into the HTTP page to go to an HTTPS site controlled by the attacker (presumably with some semi-related name so as to not seem suspicious to the user) and to then bypass non-HTTPS restrictions in the browser.