Say a user visits my website on a encrypted connection (https), and I send some (AJAX) code to the user web-browser which in turn connect to its localhost using none secure url: http. Would it still be secure?
My thoughts are yes because the web-browser already running on localhost will it in turn never be send over the internet anyway unencrypted. The message have in short already been transferred to the machine and the way from the user web-browser to my software (installed on the user computer/machine) will be very short, not reach any other machine as long as the user computer/machine is not infected by malware. It is a right conclusion?
Assuming there is no malware on the localhost, an http request from the web-browser to localhost never leaves the machine and is thus not viewable by anyone on the network. In this way, it is secure.
If there is malware, or other users on the localhost, sniffing http traffic on the loopback interface is much easier to execute than tracing the web-browser application for the same information. In this way, it is not secure.