4

All of google's CDN libraries are served via https. Is there any advantage of serving them via https over http ?

anjanesh
  • 3,771
  • 7
  • 44
  • 58
  • They're served over both; you can use HTTP instead of HTTPS if you prefer, but I think cdhowie is correct (that's why *I* use their HTTPS versions anyway). – El Yobo Dec 06 '10 at 06:13

2 Answers2

13

cdhowie is correct. If your page is served via http, then serving the library via https merely adds a small amount of overhead. If your page is served via https, then serving the library via http would be a potential security hazard, and most browsers will issue a warning. So https is given as the default option.

See this related question: HTTPS and external (CDN) hosted files?

But you can have the best of both worlds by omitting the protocol entirely, e.g.

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js"></script>

That tells the browser to automatically use the same protocol that was used to serve the page. Little-known trick, but widely supported. More info here: Is it valid to replace http:// with // in a <script src="http://...">?

Community
  • 1
  • 1
Trevor Burnham
  • 76,828
  • 33
  • 160
  • 196
  • Why I never know the *//* double slash is a valid URL in src script. Is that compatible for all browsers in all platform and w3c standard? – CallMeLaNN Nov 04 '11 at 06:31
  • 1
    Yep, it even works in IE6. Look at the "Is it valid" link at the end of my question. It's a little-known trick that deserves to be much more widely used. – Trevor Burnham Nov 04 '11 at 14:10
  • 1
    I comes from RFC 3986 http://tools.ietf.org/html/rfc3986#section-4.2 It uses the document's underlying protocol, therefore it does work for HTTP/HTTPS, but doesn't for file:// – Volker E. Mar 08 '13 at 01:21
  • +1 for mentioning the **security hazard**. It's the true reason. Man in the middle. "security hazard" should be in the bold font and without _potential_ word ahead. – xmedeko Jan 13 '17 at 17:06
6

If I had to venture a guess, they recommend those URLs so that if your page is served via HTTPS, browsers will not whine about your page containing "insecure content."

cdhowie
  • 158,093
  • 24
  • 286
  • 300