TIL #13 - 2019-01-14
Published on 2019-01-14
Read about it in this article - it is rather scary. No matter how well documented this is or how easy it is to opt-out it should NEVER be the default! Ever!
Of cource hosting providers (or anyone else who has ownership of any part of the connection) can do this (please use encryption everywhere!) but they shouldn't. There is no need to do it at all - there are plenty of ways to ensure performance for the end using using HTTP and/or TCP - injecting client side scripts possibly ruining the page is always the wrong choice.