You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Closest place I could find to file this bug. code.jquery.com is offered as a way to distribute code. QUnit uses this. If you go to http://qunitjs.com the Quick Access link at the bottom is http://code.jquery.com/qunit/qunit-1.11.0.js . If loaded verbatim in an SSL-protected site, this causes spurious warnings in the console about running insecure content. However, if I eliminate the http: and use src="//code.jquery.com/qunit/qunit-1.11.0.js", or explicitly use https://, Chrome won't load it because the SSL certificate does not match the name. If I go directly to the URL, the warning is:
This is probably not the site you are looking for!
You attempted to reach code.jquery.com, but instead you actually reached a server identifying itself as gp1.wac.edgecastcdn.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of code.jquery.com.
You should not proceed, especially if you have never seen this warning before for this site.
I could allow permission for this certificate, but in general sites can't ask users to explicitly load the javascript page and tell their browser to accept the mismatched certs. They just need to work.
Can you fix this, or should QUnit and everything else on code.jquery.com move to ajax.googleapis.com ?
If I load it in Firefox I see more details. The cert is good for a whole bunch of names, but not this one. It looks like the "Certificate Subject Alt Name" field needs to be updated by EdgeCast to include code.jquery.com as a valid name.
Closest place I could find to file this bug. code.jquery.com is offered as a way to distribute code. QUnit uses this. If you go to http://qunitjs.com the Quick Access link at the bottom is http://code.jquery.com/qunit/qunit-1.11.0.js . If loaded verbatim in an SSL-protected site, this causes spurious warnings in the console about running insecure content. However, if I eliminate the http: and use src="//code.jquery.com/qunit/qunit-1.11.0.js", or explicitly use https://, Chrome won't load it because the SSL certificate does not match the name. If I go directly to the URL, the warning is:
This is probably not the site you are looking for!
You attempted to reach code.jquery.com, but instead you actually reached a server identifying itself as gp1.wac.edgecastcdn.net. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of code.jquery.com.
You should not proceed, especially if you have never seen this warning before for this site.
I could allow permission for this certificate, but in general sites can't ask users to explicitly load the javascript page and tell their browser to accept the mismatched certs. They just need to work.
Can you fix this, or should QUnit and everything else on code.jquery.com move to ajax.googleapis.com ?
If I load it in Firefox I see more details. The cert is good for a whole bunch of names, but not this one. It looks like the "Certificate Subject Alt Name" field needs to be updated by EdgeCast to include code.jquery.com as a valid name.
I will report this also to support@edgecast.com.
Thanks.
Mark
The text was updated successfully, but these errors were encountered: