To be fair, the script is "http://localhost:35729/livereload.js". That shouldn't leak anything to an adversary, if the request doesn't leave the client's computer.
Still should be fixed though, so the HTTPS warning can serve its function and call out real threats.
You're 100% right. It's just that security is so hard to get right. Only (maybe not even) the paranoid survive on that front. All it takes is one tiny detail to screw everything up.
Leaving development artifacts on your live server is not very tranquilizing on that front.
Indeed :) And thanks for the heads up, Arthur. Was a bit of debugging code left in by mistake. Fixed it when I was skimming these comments yesterday but haven’t had a chance to reply and say thanks until now :)
Still should be fixed though, so the HTTPS warning can serve its function and call out real threats.