Why use protocol-relative URLs at all?

Asked 11/2, 2015 at 3:51 Answered 28/7, 2021 at 6:19

It's been an oft-discussed question on StackOverflow what this means:

 <script src="//cdn.example.com/somewhere/something.js"></script>

This gives the advantage that if you're accessing it over HTTPS, you get HTTPS automatically, instead of that scary "Insecure elements on this page" warning.

But why use protocol-relative URLs at all? Why not simply use HTTPS always in CDN URLs? After all, an HTTP page has no reason to complain if you decide to load some parts of it over HTTPS.

(This is more specifically for CDNs; almost all CDNs have HTTPS capability. Whereas, your own server may not necessarily have HTTPS.)

Gromyko answered 11/2, 2015 at 3:51 Comment(0)

As of December 2014, Paul Irish's blog on protocol-relative URLs says:

2014.12.17: Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.

Unless you have specific performance concerns (such as the slow mobile network mentioned in Zakjan's answer) you should use https:// to protect your users.

Roid answered 11/2, 2015 at 12:18 Comment(3)

This only applies to third party resources ? – Ul 6/2, 2016 at 3:59

@Ul for local resources you just use / paths, not // paths. – Arroba 9/8, 2016 at 19:12

In 2017, SO also switched from protocol-relative to HTTPS: nickcraver.com/blog/2017/05/22/https-on-stack-overflow/… – Assignee 3/7, 2017 at 9:22

Because of performance. Establishing of HTTPS connection takes much longer time than HTTP, TLS handshake adds latency delay up to 2 RTTs. You can notice it on mobile networks. So it is better not to use HTTPS asset URLs, if you don't need it.

Delectable answered 11/2, 2015 at 5:25 Comment(6)

I say it's better to use https cuz of http2 performance and it's more secure! – Industrialist 14/5, 2017 at 16:47

This is 2 years old answer, when HTTP2 was not available yet. – Delectable 23/5, 2017 at 12:42

This answer is no longer true. Enable HTTP2 on your websites and HTTPS is faster than HTTP. – Sparrowgrass 16/1, 2018 at 4:31

As you should definitely know by now, it is not that HTTPS is now faster than HTTP, it's that HTTP is now faster than older HTTP, and only the HTTPS version of it has been implemented at all. HTTPS is still and always will be necessarily slower than HTTP. – Lizalizabeth 15/11, 2018 at 17:12

Note that //: links are ruined when the page is saved offline. joonas.fi/2016/12/27/stop-using-protocol-relative-urls – Gib 23/11, 2019 at 2:49

http2 enables multiple request, it doesn't magically make ssl handshake disappear. give source otherwise. if you have a static page that has nothing secret enough to be encrypted then it make sense you'd want to optimize for speed and that would mean NO ssl for that page – Medick 15/1, 2020 at 19:10

There are a number of potential reasons, though they're all not particularly crucial:

How about the next time every business with an agenda pushes a new protocol? Are we going to have to swap out thousands of strings again then? No thanks.
HTTPS is slower than HTTP of same version
If any of the notes listed at caniuse.com for HTTP/2 are a problem
Conceptually, if the server enforces the protocol, there is no reason to be specific about it in the first place. Agnosticism is what it is. It's covering all your bases.

Lizalizabeth answered 15/11, 2018 at 17:22 Comment(0)

One thing to note, if you are using CSP's upgrade-insecure-requests, you can safely use protocol-agnostic URLs (//example.com).

Faulk answered 9/11, 2018 at 14:52 Comment(0)

Protocol-relative URLs sometimes break JS codes that try to detect location.protocol. They are also not understood by extremely old browsers. If you are developing web services that requires maximum backward-compatibility (i.e. serving crucial emergency information that can be received/sent on slow connections and/or old devices) do not use PRURLs.

Microdont answered 28/7, 2021 at 6:19 Comment(0)

Recommended topics

Hot tags