Difference between //www.google-analytics.com/analytics.js and https://www.google-analytics.com/analytics.js

Question

I am reading https://developers.google.com/analytics/devguides/collection/analyticsjs/ and this is the JavaScript tracking snippet they provide:

<!-- Google Analytics -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new 
Date();a=s.createElement(o),
m=s.getElementsByTagName(o)
[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-
analytics.com/analytics.js','ga');

ga('create', 'UA-XXXXX-Y', 'auto');
ga('send', 'pageview');
</script>
<!-- End Google Analytics -->

In one of my implementations, I have the code with the only difference that instead of https://www.google-analytics.com/analytics.js I am using //www.google-analytics.com/analytics.js, but everything works correctly. Does it matter to include https: at the beginning. What would be the difference between using one form or the other? Thank you.

Answer 1

This is a "protocol relative url." You can read about them here, but you should really just be using https at this point.

Here's a good excerpt from the linked resource:

Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.

Allowing the snippet to request over HTTP opens the door for attacks like the recent Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true.