Solving Confusing Browser Security Prompts with Protocol-Relative Hyperlinks

If you’ve ever been in the situation where you’re visiting a site where some of the content is delivered via http, and some via https, you may have seen the following security dialog (this is the IE version, but Firefox has a similar dialog):

Security Dialog

It’s not immediately intuitive whether the right answer is “Yes” or “No,” is it? But while the dialog itself can be confusing, the problem it’s trying to communicate is very real…mixing secure and unsecure content within the same page can be a big problem from a security standpoint.

Fortunately, there’s a solution, as Jon Galloway helpfully points out:

Fixing the real problem with protocol-relative hyperlinks

The real way to fix the problem is for web dev's to use protocol-relative hyperlinks, such as <img src="//" /> - that will use HTTPS if the page is HTTPS an HTTP if the page is HTTP, preventing both the security vulnerability and the security prompt. Rather than trying to fix the links in code, we’re relying on a specified and supported HTML feature (RFC 1808, Section 2.4.3, circa 1995)

As Eric points out, you can find out which content is causing the problem with an HTTP monitoring program like Fiddler.

Read the whole post for some additional background on the issue.

Comments (0)

Skip to main content