When a page delivers secure and non-secure items over https, are the secure items compromised?

Question

I\'m not 100% sure that I\'m using the correct terminology or if I\'m leaving out information that is required to answer. So please be patient with me.

My client wan

Answer 1

If your pages references unencrypted Javascript or Flash, you're totally unprotected; an attacker can substitute any Javascript he wants, and can steal non-HTTP-only cookies, or make arbitrary HTTP requests that impersonate the current user.

If you reference unencrypted CSS, you're still vulnerable; attackers can arbitrarily modify your layout, and can execute arbitrary code in IE and Firefox.

If you reference unencrypted images, you're mostly fine; all the attacker can do is see the Referer header and find out what page the user is seeing. (He'll also get any non-SSL-only cookies for the image's domain). The attacker can also alter the images to suit his needs, which may be a concern.