8

I am building an ASP.NET MVC 3 app which will run in Azure. Everything was working well, until I switched to https. Now most of my jQuery plugins and some other javascript are not secure.

I'm using the Datatables library as well as jsTree, watermaks and breadcrumbs. Most of this script is to make our site look appealing.

Is there a way to make this secure? Or is it time to move a very lean javascript site?

Thank you for the help!

James
  • 183
  • 1
  • 1
  • 4

2 Answers2

11

I serve my entire site over https, jquery included.

The trick is to use a CDN for jQuery that supports https, or deploy the code to your own site and include it from your domain. In code, for example:

<script type="text/javascript" 
        src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>

Works fine and will show up as a secure element.

Now, is that actually secure? Well, I generally trust Google APIs as a CDN and the content I have is not that crucial - however, if I wished to ensure I had total control of the jQuery deployment, I could just host it myself:

<script type="text/javascript" 
        src="https://mysite.com/static/js/jquery.min.js"></script>

Both will work fine. Bottom line: you do not have to deploy jQuery from the CDN, however, if you want to, at least one of them supports https (others may, I looked no further).

An aside to consider - one of the reasons for accessing code from the CDN was to always have the latest version of the jQuery code. Deploying it yourself, you do lose this immediacy - you also gain a slight buffer against breaking updates, although hopefully that shouldn't be an issue.

  • Thank you for the help, you are exactly right! This was the issue that I suspected, but for some reason over looked it when debuging... I have no Idea how I missed it. – James Feb 02 '12 at 03:10
  • 2
    Should also make sure all CSS, pictures and such on the page are also using https src links. – ewanm89 Feb 02 '12 at 13:32
  • Have you considered using HTTP-Strict-Transport-Security (HSTS)? – rook Jan 09 '15 at 05:00
  • @Rook HSTS does not help with getting http content displayed in https sites because HSTS rules are not applied until the https version of the site has been visited once. – Rob W Jan 09 '15 at 10:30
0

Moving to a lean JavaScript site might be a good idea, at least that way you can audit the JavaScript easier and there is a lot less attack area, however you do have to be competent when writing the code.

Which brings me to the other point, what precisely is it with jQuery that isn't secure? Is it just a warning about insecure content on the page, all that means is you aren't loading JavaScript or similar over HTTPS which you should be doing from a copy stored on the server itself, again this way you can audit that copy, finally it might be worth removing any JavaScript classes and functions not actually being used from jQuery (I seriously doubt you are using all of it), we will have to generate a list of all functions called all functions they could call... to do this..

ewanm89
  • 2,043
  • 12
  • 15