Back in October 2010 (that long?!) I noticed a commit to Paul Irish’s (awesome) HTML5 Boilerplate project on GitHub that piqued my curiosity. I hadn’t really noticed the trick of linking to a resource in a protocol-independent manner before. So I drafted this post and then promptly forgot about publishing it. It’s still cool five years later—but not quite as cool, for reasons I’ll explain in a sec.
For the longest time, I thought links had to have a protocol specified, no matter what. I thought that was why Google Analytics used a kind of ugly detection hack to check document.location.protocol and switch the script src accordingly. Turns out that Google used that hack not because of the protocol itself, but because Analytics offered HTTPS on a different subdomain.
That commit got me to look it up, and sure enough, protocol-independent links are a thing. Until then I had no idea the protocol could be implied—though I knew the domain name is implied if the URI starts with /, and the entire base path is implied if there’s no initial slash at all.
So, adding a script that will load securely if the page is secured and by normal HTTP if not is as easy as removing the http: or https: from the src attribute, leaving a URI that looks like //domain.name/path/to/script.js
Not So Cool
So basically, I learned something five years ago that is now kind of frowned upon if you actually use it. Use HTTPS to load resources if the origin server supports it, period. Both server hardware and server software have gotten so good at encryption that the old argument—”It adds too much overhead”—no longer applies, and the upsides far outweigh the downsides.
- It’s ironic that NETRESEC’s site doesn’t even load over HTTPS. You’d think a network security blog would implement that, at the very least. [↩]
- I don’t know for how long, because the last time I actually touched tracking code myself must have been 2011 at the latest. [↩]
- It always was silly to put secure traffic on a separate subdomain, though I still see sites do it. I still don’t know why—especially in cases like Google Analytics where the hostname already load balances across dozens or hundreds of machines. [↩]