Opened on 01/09/2017 at 06:28:08 PM
Closed on 08/30/2017 at 03:52:20 PM
#4782 closed change (fixed)
Decide if we should include a protocol in achor hrefs
| Reported by: | juliandoucette | Assignee: | |
|---|---|---|---|
| Priority: | P3 | Milestone: | |
| Module: | Websites | Keywords: | |
| Cc: | saroyanm, erick, ire, kvas, jsonesen | Blocked By: | |
| Blocking: | Platform: | Unknown / Cross platform | |
| Ready: | yes | Confidential: | no |
| Tester: | Unknown | Verified working: | no |
| Review URL(s): | |||
Description (last modified by juliandoucette)
Background
We have been using http://, https://, and // inconsistently.
What to change
- Investigate which is appropriate when
- Document this in our code style guide
Attachments (0)
Change History (6)
comment:2 Changed on 01/10/2017 at 09:53:02 AM by saroyanm
comment:3 Changed on 06/05/2017 at 02:46:08 PM by ire
- Cc iaderinokun added
@saroyanm: I believe what Julian is referring to is the protocol-relative URL, where, if the http:/https: is not written, the browser chooses which to use depending on the protocol of the page requesting the asset. Not to be confused with the single forward slash (/) which defines a relative url on the same domain.
@juliandoucette: From the research I've done, it seems to be advised that the protocol always be stated. Particularly if the resource has a https:// version, then that should always be fetched for security reasons. See this quote:
Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique [the protocol-relative URL] is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.
Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true.
(Paul Irish, The protocol-relative URL)
Other references:
- https://jeremywagner.me/blog/stop-using-the-protocol-relative-url
- https://github.com/konklone/cdns-to-https#conclusion-cdns-should-redirect-to-https
- https://www.digitalgov.gov/2015/08/14/secure-central-hosting-for-the-digital-analytics-program/
Based on this, I think we should always define the protocol.
comment:4 Changed on 07/09/2017 at 05:14:00 PM by juliandoucette
- Cc kvas jsonesen added
@Vasily and/or @Jon can you please review comment 3 and provide your opinion on this matter (as it is relevant to how our CMS functions).
comment:5 Changed on 07/13/2017 at 08:32:25 AM by ire
- Cc ire added; iaderinokun removed
comment:6 Changed on 08/30/2017 at 03:52:20 PM by juliandoucette
- Resolution set to fixed
- Status changed from new to closed
I think Ire's answer was sufficient to resolve this issue. Documentation will follow in a separate issue.
I'm not entirely sure what are you suggesting, but if you will not mention the protocol there is a risk that browser can consider the link as a relative.
My suggestion is to use secure version if applicable and the protocol settings is something that is defined not on our end if it's 3-rd party website.