MiTM doesn't work against https unless the users are accepting bad certs already. If the page you're looking at was sent over https, its not alterable to include malicious javascript en-route. Someone on the network doesn't have your key, and so they can't spoof a request to take advantage of persistent https connections. XSS is dependent on your users looking at each others data and you not filtering it well. So unless your server or client are already owned (at which point this doesn't matter), or your users are randomly accepting bad certs (at which point it still doesn't matter), the only vector is a pre-existing unpatched XSS vulnerability on one of the servers https pages. (right?)

...or it could fail because its designed to fail at exactly the right time, in the right way. That our infrastructure and military hardware contain so many parts from China has to be one of their best strategic advantages in any conflict we might have. They would be silly not to try and use that.