[arthur_debert]

Sorry. Here's the dissonance: we're building tools (including secure messaging) that are government snooping safe. We care deeply about the privacy and security of our users. And the web page that tells us that has mixed content warnings on ssl.

Maybe nitpicking, but security and OPSEC in particular requires insane focus and attention to every little detail. If you can trip up on the small things, I could hardly trust you to get the hard things right.

[oceanstone]

To be fair, the script is "http://localhost:35729/livereload.js". That shouldn't leak anything to an adversary, if the request doesn't leave the client's computer.

Still should be fixed though, so the HTTPS warning can serve its function and call out real threats.

[arthur_debert]

You're 100% right. It's just that security is so hard to get right. Only (maybe not even) the paranoid survive on that front. All it takes is one tiny detail to screw everything up. Leaving development artifacts on your live server is not very tranquilizing on that front.

[aral]

Indeed :) And thanks for the heads up, Arthur. Was a bit of debugging code left in by mistake. Fixed it when I was skimming these comments yesterday but haven’t had a chance to reply and say thanks until now :)