X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=README;h=1e1efa7f76e8c90808fc5f1a6d419da3f806d88d;hb=1628e631d4c9609d037935d0a3229c2241d238ca;hp=b0124c1279b961ebf6bdf064ff8f28ee3780296d;hpb=219d904b7d12173ee93d016fe1a2cb8ae32eea9c;p=tlsproxy%2Ftlsproxy.git

diff --git a/README b/README
index b0124c1..1e1efa7 100644
--- a/README
+++ b/README
@@ -91,6 +91,11 @@ If you always verify the authentication of the connection this isn't a
 problem, but if you only check if it's a HTTPS connection then this attack is
 possible.
 
+Another issue is embedded active content, like JavaScript. If the website
+includes data from a different host (e.g. a different sub-domain), for which
+tlsproxy has no certificate, then an attacker can MITM that connection and
+inject JavaScript with unknown consequences into the browser.
+
 
 KNOWN ISSUES
 ------------