5

For what reasons do sites provide logic to switch between http/https protocols for JavaScript include files? Why not always use https?

Jones
  • 299
  • 2
  • 5
  • 11

3 Answers3

6

HTTPS means :

  • You need a server configured properly
  • You need a certificate on your server
    • And, to not get a warning in the browser, you need a certificate signed by some trusted authority
    • And this costs a bit of money
  • A small bit of performance impact
    • The server has to crypt the data
    • The client has to de-crypt it
  • I would bet HTTPS means less caching
    • Maybe on the client side ?
    • And, most probably, on proxies ?

If you don't need HTTPS... Well, why use it ?

Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
  • can someone confirm/refute the less caching client side with https? – Toby Nov 09 '11 at 00:05
  • There's no caching issue that I can imagine. I don't know why the client would decide not to cache. And if you're going through a proxy, that proxy *is* the SSL endpoint, so there's no reason it wouldn't cache. – Peeja Sep 17 '12 at 22:07
  • Also, the first two points are moot. The whole point of switching assets over to HTTPS is to keep the page fully secure when the page itself is served over HTTPS. The server and certificate configuration should already be taken care of if you have this problem. The only issue I can imagine is performance. – Peeja Sep 17 '12 at 22:09
  • Really not a fan of this answer. Regarding points 1 & 2: you're writing these from the points of view of someone serving a JS tag. If you're serving a JS tag, then you _need_ to provide HTTPS support, so these arguments are moot. Regarding point 3: It's actually a huge performance impact :) The TLS handshake takes a relatively long time, but if you're loading the JS async, then you should be fine. Point 4: Clients will cache all the same, but edges cannot cache since they cannot see the headers. Regarding 5th point: because developers are lazy and information leaks in URLs and cookies ;) – Ryan Angilly Jul 12 '14 at 12:08
2

There's less overhead if you just use http to serve the javascript include files. However, if you are running a site over https then you'll want to load everything over https, including the javascript include files.

ChronoPositron
  • 1,498
  • 2
  • 10
  • 14
1

Because you can get the page both with and without SSL.

If you mix secure and unsecure requests in a page, the user will get a warning, so when the page is requested using https, it will have to requests the scripts using https also. This is usually done automatically when you request scripts from the same site with a relative URL, but if you have to use a complete URL to request a script from a different domain, the protocol has to be set dynamically.

Guffa
  • 687,336
  • 108
  • 737
  • 1,005
  • 1
    This isn't true. You only get warnings if you load a page from HTTPS and then that page loads content over HTTP. If you load a page over HTTP, and the page loads content over HTTPS, there is no warning. – Ryan Angilly Jul 12 '14 at 12:09
  • Do you have a reference for that specific behaviour? Different browsers handle mixed content in different ways. – Guffa Jul 13 '14 at 11:43
  • 1
    No reference, just experience. Recently updated Chrome, FF, Safari, IE10 & IE9 seem to all be fine with it. So my comment may not reflect 100% of browsers. – Ryan Angilly Jul 13 '14 at 15:31