From 061aa8165e1d74ab90b1fe3b07870536779a67ce Mon Sep 17 00:00:00 2001
From: Simon Ruderich <simon@ruderich.org>
Date: Mon, 9 Dec 2013 21:45:49 +0100
Subject: [PATCH] README: Describe another issue of -u.

---
 README | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/README b/README
index b0124c1..1e1efa7 100644
--- a/README
+++ b/README
@@ -91,6 +91,11 @@ If you always verify the authentication of the connection this isn't a
 problem, but if you only check if it's a HTTPS connection then this attack is
 possible.
 
+Another issue is embedded active content, like JavaScript. If the website
+includes data from a different host (e.g. a different sub-domain), for which
+tlsproxy has no certificate, then an attacker can MITM that connection and
+inject JavaScript with unknown consequences into the browser.
+
 
 KNOWN ISSUES
 ------------
-- 
2.43.2