[e12e]

Great link on AngularJS injection. Unfortunately the code shown is also an example of the kind of thing that makes me less-than enthusiastic about a lot of the blogs I see on web apps. Right at the top (of the code) we have:

   <script src="http://ajax.googleapis.com/ajax/libs/angularjs/1.0.4/angular.js"></script>

When https would have worked just fine. Instead, because it's referenced with http, we're basically saying - insert some random code in our page, if there's anyone that can spoof packets.

It's like Microsoft Office Macros all over again -- only much worse.

Later he calls the github api over https -- but (and this is a genuine question, I don't know) -- what would happen if github redirected from https to http? Would it fail, or would we get random insecure data import?:

    $http.get('https://api.github.com/repos/angular/angular.js/commits')

(Now, redirecting to http would obviously be, well, bad form at least -- but conceivable to stave off slashdotting by an overworked sysadmin, perhaps?).