Opened 3 years ago

Closed 2 years ago

#4782 closed change (fixed)

Decide if we should include a protocol in achor hrefs

Reported by: juliandoucette Assignee:
Priority: P3 Milestone:
Module: Websites Keywords:
Cc: saroyanm, erick, ire, kvas, jsonesen Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: yes Confidential: no
Tester: Unknown Verified working: no
Review URL(s):

Description (last modified by juliandoucette)

Background

We have been using http://, https://, and // inconsistently.

What to change

  • Investigate which is appropriate when
  • Document this in our code style guide

Change History (6)

comment:1 Changed 3 years ago by juliandoucette

  • Description modified (diff)

comment:2 Changed 3 years ago by saroyanm

I'm not entirely sure what are you suggesting, but if you will not mention the protocol there is a risk that browser can consider the link as a relative.
My suggestion is to use secure version if applicable and the protocol settings is something that is defined not on our end if it's 3-rd party website.

comment:3 Changed 2 years ago by ire

  • Cc iaderinokun added

@saroyanm: I believe what Julian is referring to is the protocol-relative URL, where, if the http:/https: is not written, the browser chooses which to use depending on the protocol of the page requesting the asset. Not to be confused with the single forward slash (/) which defines a relative url on the same domain.

@juliandoucette: From the research I've done, it seems to be advised that the protocol always be stated. Particularly if the resource has a https:// version, then that should always be fetched for security reasons. See this quote:

Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique [the protocol-relative URL] is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.

Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true.

(Paul Irish, The protocol-relative URL)

Other references:

Based on this, I think we should always define the protocol.

comment:4 Changed 2 years ago by juliandoucette

  • Cc kvas jsonesen added

@Vasily and/or @Jon can you please review comment 3 and provide your opinion on this matter (as it is relevant to how our CMS functions).

comment:5 Changed 2 years ago by ire

  • Cc ire added; iaderinokun removed

comment:6 Changed 2 years ago by juliandoucette

  • Resolution set to fixed
  • Status changed from new to closed

I think Ire's answer was sufficient to resolve this issue. Documentation will follow in a separate issue.

Note: See TracTickets for help on using tickets.