The user is under the impression they are secure, and their data is protected from prying eyes, but then the website has gone and given their username and password out over a non secure channel.
So it's not just js/css that could cause leakage/security issues, but any http request.
This is of course the fault of the website for being sloppy with the users private data, but I can see the argument that says users should be made aware that there is a possibility of sensitive data being "leaked".
The issue is: Who do you want to be the authority on what data is "boring generic/doesn't matter", and what data is "sensitive"... The website? or the user?
myImage.src = "http://www.blah.com/foo.png?username="+username+"&password="+password;
The user is under the impression they are secure, and their data is protected from prying eyes, but then the website has gone and given their username and password out over a non secure channel.
So it's not just js/css that could cause leakage/security issues, but any http request.
This is of course the fault of the website for being sloppy with the users private data, but I can see the argument that says users should be made aware that there is a possibility of sensitive data being "leaked".
The issue is: Who do you want to be the authority on what data is "boring generic/doesn't matter", and what data is "sensitive"... The website? or the user?