When your webpage includes resources using protocol-relative URLs, it indicates that these resources can be fetched using either HTTP or HTTPS. This could pose a security risk by being vulnerable to certain types of attacks.
Why is this important?
Using protocol relative URLs might have been a widespread practice for supporting both HTTP and HTTPS without specific URL schemes. While it’s a flexible solution, it’s unsafe when such a URL loads over HTTP, opening a window for security breaches such as the well-known Man-on-the-side attack.
What does the Optimization check?
The Optimization checks for any use of protocol relative URIs within the website's internal links to resources like scripts, CSS files, or images, whether they are HTTP or HTTPS.
Examples that trigger this Optimization
The following examples demonstrate the use of protocol relative URIs that would activate this hint:
JavaScript library link:
<script src="//code.jquery.com/jquery-2.2.3.min.js"></script>
External CSS stylesheet link:
<link href='//fonts.googleapis.com/css?family=Istok+Web' rel='stylesheet' type='text/css'>
Image source using protocol relative URI:
<img src="//example.com/img/logo.png">
How do you resolve this issue?
It is advisable to replace all protocol relative URLs with absolute HTTPS URLs, ensuring that all resources are loaded securely. For resources not available over HTTPS, consider hosting the resource yourself, using alternative secure hosts, or omitting the resource if necessary.