How safe is it to use `//domain.com/` (schema-less) links?

Question

I've read some articles before that stated you can skip the scheme from your URLs and it'd be automatically determined from the page you're visiting. For example, if you're on https://test.com/ and you'd have an image like //google.com/logo.png, the image would be requested through a secure connection. Unfortunately, I can't find any reference right now (damn you, bookmarks!).

I tried it in Chrome and it worked. Tested on https://google.com:

(function (document) {
    var img = document.createElement('img');
    img.src = '//www.paypal.com/en_US/i/logo/paypal_logo.gif';
    document.body.appendChild(img);
})(document);

Inspecting the elements, it brings in the logo from https://www.paypal.com.

I've skimmed the URL RFC but haven't found anything that clearly states this behavior. Does anyone know what the browser support for this feature is? I'm especially interested in mobile browsers.

score 10 · Accepted Answer · edited May 23 '17 at 12:34

10

This is well supported by all browsers and is called schemaless URLs.

See Can I change all my http:// links to just //? for more detail.

edited May 23 '17 at 12:34

Community

1
1

answered Feb 28 '12 at 11:41

Oded

489,969
99
883
1,009

Great, thanks! Sorry for the duplicate, but I had a hard time googling for this. – Alex Ciminian Feb 28 '12 at 11:44

How safe is it to use `//domain.com/` (schema-less) links?

1 Answers1