0

As the title states, why should I use // instead of https? I understand that on an https page you shouldn't load resources over http, but AFAIK there is no downside of loading your resources over https when the page itself is loaded over http. So what are the advantages of using // over https?

Tiddo
  • 6,331
  • 6
  • 52
  • 85
  • http://stackoverflow.com/questions/8465383/loading-http-content-on-https-website – Nick R Feb 20 '14 at 12:46
  • @NickR That's the reverse question. I fully understand why you shouldn't load `http` resources on a `https` site, but I don't understand what's wrong with loading `https` resources on a `http` site. – Tiddo Feb 20 '14 at 13:10
  • @Tiddo Speed? Establishing an HTTPS connection (certificate exchange) to get one small script file is probably a waste of time. :) – NickG Jun 03 '14 at 13:55

1 Answers1

1

Use of https may be less efficient, since it involves encryption. A resource might reside on a web server that does not support https requests.

Jukka K. Korpela
  • 195,524
  • 37
  • 270
  • 390
  • If a webserver doesn't support `https` then you can't use `//` as well, since that'll break if your page is served over `https`. Is performance the only problem? – Tiddo Feb 20 '14 at 13:11
  • If a server does not support https, you can still use `//` to the extent that the referring page itself uses http. But admittedly it is then better to use explicit `http://`. I made this point to address the note “ere is no downside of loading your resources over https when the page itself is loaded over http”. – Jukka K. Korpela Feb 20 '14 at 13:32
  • Oh I get it now, I was thinking about loading external resources from an http-only server while the page itself is served over `https`. But for resources loaded from the same server this would of course work just fine. So basically the main reason to use `//` over `https` (besides performance) is when you don't know in advance if the server the website is going to run on supports https, such that it can fallback to `http` when `ssl` is disabled, right? – Tiddo Feb 20 '14 at 14:38
  • 1
    @Tiddo, well, yes. I suppose a common scenario is an e-commerce site that uses http for normal browsing but switches to https when confidential information is requested from the user. Using `//` URLs, you can use the same code in both phases. The alternative would be to use https throughout, and in a high-traffic site, the overhead might matter. – Jukka K. Korpela Feb 20 '14 at 17:16