Enable Javascript / CSS via https?

Question

Enable Javascript / CSS via https?

I am currently facing the problem that I want to serve static content through the static.mydomain.tld subdomain , but my SSL certificate is only valid for my main domain mydomain.tld

Should I include javascript, css and images over a secure connection when using https, or can I use http://static.mydomain.tld .

I would modify my javascript so that AJAX requests use https in the main domain.

Or should you not use a subdomain and include files from the main domain?

(I was thinking about using a subdomain because I read that static content should be served from a domain that does not set cookies)

Thanks!

+4

javascript css ssl https

Fabian Jan 14 '12 at 11:27

source share

1 answer

Quentin · Accepted Answer · 2012-01-14T11:41:11+0000

Should I include javascript, css and images over a secure connection when using https

Yes. Otherwise, it may be intercepted and modified. Replaced images may provide users with false data. Replaced JS and CSS (because CSS can embed JS) can execute scripts and data leaks from a secure environment.

Should I use a subdomain and include files from the primary domain?

This is an option.

You can also get another SSL certificate for a different host name.

Enable Javascript / CSS via https?

More articles: