Is there a reason NOT to use src = "//domain.com/file.js", which is dynamic by protocol?

Question

Is there a reason NOT to use src = "//domain.com/file.js", which is dynamic by protocol?

In some of my e-commerce applications, I started using src="//domain.com/file.js" in cases where I needed to reference external scripts that I wanted to include. In my e-commerce applications, not all pages actually use https , since not every page has a form.

I am wondering if there are any drawbacks at all to always use this, since it is also a shortcut for http , and you can always avoid IE warning without protection.

+7

javascript href hyperlink src

meder omuraliev Feb 24 '10 at 23:47

source share

2 answers

@Mehrdad_Afshari Resource resources from HTTP can open injection vulnerabilities from MITM attacks that HTTPS specifically protects you with. A classic example is finding a script via HTTP, but there have been errors in the past (see http://www.adambarth.com/papers/2009/barth-caballero-song.pdf ) that could allow script injections via the IMG tag with MITM. Relative reference schemes have been specifically recommended by ForceHTTPS ( https://crypto.stanford.edu/forcehttps/ ) because of such problems.

+2

Scott Wolchok Feb 24 '10 at 23:56

source share

Mehrdad afshari · Accepted Answer · 2010-02-24T23:52:22+0000

If you intend to load resources from the same protocol as the page being loaded, then using this is an ideal way to execute it. However, you may need to download some resources from http , even if your page is currently served at https (say, resouce is only supported on http or you prefer to reduce the load on your server without having to encrypt every image on the page). In this case, you need to explicitly specify the protocol name.

Is there a reason NOT to use src = "//domain.com/file.js", which is dynamic by protocol?

More articles: