Geek Answers Handbook

Using // instead of protocol

Possible duplicate:
Is there a drawback to using leading double slashes for protocol inheritance in URLs? those. src = "//domain.com"

In many places, I saw the following logic: f.ex analytics script:

script.src = ('https:' == document.location.protocol ? 'https' : 'http') + '://example.com/cdn.js';

But as far as I know, you could just as well:

 script.src = '//example.com/cdn.js';

and he should use any protocol that is currently in use. Or am I missing something? What is considered "best practice"?

I'm not looking for answers for browser compatibility, google already recommends // for CDN scripts, so it should not be here.

Here is such a fiddle, but in reality it does not say much more than it seems in this setting: http://jsfiddle.net/6ZGyb/

+6
source share
1 answer

A bit of background:

The optional JavaScript protocol shell is commonly used to provide support for all browsers for such relative path URL s. You are right, since most modern browsers handle these URLs correctly , however, in order to be able to sleep with a rested mind, it is still considered good practice to assume that not all user agents accessing your web pages are as smart as expected from them (or by supporting RFC 1808 Section 4, RFC 2396 Section 5.2, or RFC 3986 Section 5.2, as mentioned in Is there a drawback in using the leading double slash for protocol inheritance in the URL , as @Bruno noted in comment Rhee)

Compatibility:

Imagine a scenario in which content containing such relative paths is available “out of context”, for example. in the mail client. In this case, such relative paths can be analyzed on their fully defined paths in the wrong way and cause all kinds of problems, due to the fact that users will not be able to see the content correctly, to access the content that they really should not be. To avoid such problems, the use of relative paths should always be limited to cases within the context where the parser of the parent document (opening application) can determine the complete absolute path to the resource in question. . should only expect relative paths to work properly when they are accessed by the same or compatible protocol.

Security Concerns:

Another possible problem that arose:

Can such relative protocol URLs be used in any way by accessing the contents of the parent document (parsed URLs) by various protocol exchange methods, and if such a JavaScript wrapper serves the purpose of denying such access.

The IANA's (long) list of officially registered URLs offers many potentially disturbing exchange protocols that can be exploited by operators, but JavaScript would not do anything for user agents that do not support JavaScript (or are disabled by the user) . My answer, in light of this, should be no (to "protect JavaScript access using other protocols") .

Regarding the remainder of the increased concern (“can such relative protocol URLs be used in any way”), the answer depends on how well it was considered when setting up a web server serving any such content, whether it supports / processes such requests (if this does not mean that this is not a problem), and what possible attack / content theft vectors were considered before deployment. In other words, this is a web server administration problem and, of course, is not something that web designers / programmers can / should respond to. Each protocol available to the end user must have its own set of security protocols on top of it.

+5
source

More articles:


All Articles