> You can try an Ajax request or loading a picture over SSL and then redirect with JS if it doesn't fail.
Neat idea, but wouldn't this still be exposed to ISP-level attacks? Since the user is still loading the page initially in plain HTTP, so the ISP could still inject code, remove the JS redirect, etc.
> There is no formal definition on what constitutes a "surgical stainless steel", so product manufacturers and distributors apply the term to refer to any grade of corrosion resistant steel.
A bit misleading. The maintainers have been working on large experimental features like a self-hosted "signaling server" which helps sync notes without storing any note data on it, and without relying on third-party hosting like Dropbox [1].
Also if you look at the dev branch [2], they have been making sweeping changes to the codebase; most recently it appears they have been removing "old" JavaScript libraries like Bower, presumably to move everything to an NPM setup.
Neat idea, but wouldn't this still be exposed to ISP-level attacks? Since the user is still loading the page initially in plain HTTP, so the ISP could still inject code, remove the JS redirect, etc.