Protocol-Relative URLs to Fix Mixed-Content Warnings

This isn't as simple as it sounds, particularly if you have something like an Atom feed. Putting an IMG SRC pointing at //example.com/foo.jpg in the HTML served as a regular web page will work fine for nearly everyone. However, putting that same construct in your feed will cause a nontrivial number of people to "GET //example.com/foo.jpg" from your web server. It's irritating.<p>If you then change your feed to hard-code "<a href="http://example.com/..." rel="nofollow">http://example.com/...</a> in IMGs and such, you've just created the mixed-content hole when someone reads your feed over https. So, then you really have to have a second instance of the feed with nearly-identical URLs but with https protocols.<p>Why not serve https to everyone? Some places block it. They tend to be oppressive regimes, but that's the way it is. They can get to you on port 80 but not port 443.<p>I had to go to a hybrid scheme. Web pages get //host/path, http fetches of my Atom feed get <a href="http://host/path" rel="nofollow">http://host/path</a>, and https fetches of the Atom feed get <a href="https://host/path" rel="nofollow">https://host/path</a>.<p>Even then, some browsers <i>still</i> don't quite work with the web site, but I'm okay with ignoring them, since they didn't send User-Agent strings and are obviously broken. Besides, there have only been two of them so far this entire week.<p>( Mostly recycled from a post about this not too long ago: <a href="http://rachelbythebay.com/w/2012/08/28/feed/" rel="nofollow">http://rachelbythebay.com/w/2012/08/28/feed/</a> )

I thought the Chrome browser had recently started to block insecure content loaded from https pages; it does for me and I don't remember changing some related settings recently. Anyway yeah, it's very sane advice.

Third post from series: <a href="http://autoref.com/blog/2012/09/08/the-tech-behind-autoref-part-2static-asset-compilation/" rel="nofollow">http://autoref.com/blog/2012/09/08/the-tech-behind-autoref-p...</a><p>Full disclosure (bizdev at autoref)

At cdnjs, the homepage shows protocol relative URLs by default. We got the idea from Paul Irish: <a href="http://paulirish.com/2010/the-protocol-relative-url/" rel="nofollow">http://paulirish.com/2010/the-protocol-relative-url/</a>

The website <a href="http://www.htmlshell.com/" rel="nofollow">http://www.htmlshell.com/</a> uses this technique when linking to a CDN jQuery. One problem, it doesn't seem to work for me when I'm developing locally, I get the error that '$' is not defined, so jQuery didn't load. Does it matter for local vs. server development?

For what it's worth, the research I'm aware of on whether users actually notice or care about mixed content warnings suggests that they generally neither notice nor care: <a href="http://www.usablesecurity.org/emperor/" rel="nofollow">http://www.usablesecurity.org/emperor/</a>.

The problem this DOESN'T solve is that if the resource is not availale over SSL, then this won't work at all and will show broken links.<p>I've got a project that addresses this by converting any URL to SSL:<p><pre><code> http://www.fixweb.co/ </code></pre> Just take whatever URL you want to access, like<p><pre><code> http://example.com/test.gif </code></pre> add the FixWeb.co address in front of it like this:<p><pre><code> https://fixweb.co/example.com/test.gif ^^^^^^^^^^^^^^^^^^ </code></pre> and it will return the file over SSL.<p>It's not designed for high security file delivery, obviously, but it will get you around a normal Mixed-Content warning.

...or you could request all your resources over SSL.

Unrelated to the article, but just a small bug regarding your home page: If you choose a maker/model/ZIP and hit next, then hit the back button on your computer, you come back to the home page with the maker preselected but the model as unselectable, you have to actually choose another maker then choose the original one again to be able to pick a model.

We tried this at Quantcast in our tag. It worked great, but we had constant complaints from people who expected to see an "http:" in there.<p>Finally, we went back to two separate tags (one for http, one for https).<p>I hope this becomes more widely understood, it make a lot of sense.

This looks like invaluable information for people looking to buy used cars that have secure websites but couldn't figure out how to consistently write https.<p>Thank you for finally acknowledging and serving this important niche.