Loads page resources using protocol relative URIs
This means that the URL in question loads in resources using protocol relative URLs, which can be requested over HTTP and as such represent a security vulnerability.
Why is this important?
Protocol relative syntax has become relatively common over the last few years, as HTTPS adoption has spread, as it conveniently eliminates the need for developers to construct URLs based on the user's current security context. If this syntax is used on an HTTP page to include something from a CDN, it retrieves the HTTP version. If the user uses it on an HTTPS page, it retrieves the HTTPS version.
However, allowing the snippet to request over HTTP opens the door for attacks like the Github Man-on-the-side attack. It’s always safe to request HTTPS assets even if your site is on HTTP, however the reverse is not true.
What does the Hint check?
This Hint will trigger for any internal URL (either HTTP or HTTPS) which includes resource links using a protocol relative URI.
Examples that trigger this Hint
Consider the URL: https://example.com/page-a
The Hint would trigger for this URL if it loads even a single resource using a protocol relative URI:
JavaScript resource link using protocol relative URI:
CSS resource link using protocol relative URI:
Image resource src using protocol relative URI:
How do you resolve this issue?
You should use only https:// URLs when loading resources on your page (even if these are 3rd party resources that do not live on your own domain). For each URL that loads protocol relative resources, update the resource references to point to the HTTPS counterparts, using absolute URIs.
In some cases, you may find that the resources in question are not available over HTTPS, in which case seek to do one of the following:
- Include the resource from a different host, if one is available.
- Download and host the content on your site directly, if you are legally allowed to do so.
- Exclude the resource from your site altogether.
Further reading
