Protocol-relative URLs

Protocol-relative URLs

06.Nov.2021

Protocol-relative URLs (PRL), also known as protocol-relative URLs (PRURL), are URLs that have no protocol specified. For example, //example.com will use the protocol of the current page, typically HTTP or HTTPS.

 

The HTML5 specification states: "User agents must treat http://example.org/ and http://example.org./ as equivalent in terms of how they are parsed ([RFC3986], section 3)." This is true for most browsers today by default, with some exceptions noted below

Protocol relative links are primarily used when dealing with legacy content on websites which were created with older protocols in mind e.g FTP sites , these protocols do not specify the same origin policy so accessing them directly with a HTTP link may be possible in some browsers.

 

Protocol relative URLs are not supported in Internet Explorer 9 or earlier, nor in Safari 6 or earlier. In those browsers, protocol relative URLs will be treated as any other absolute URL. In Internet Explorer 10 and later, protocol relative URLs are supported when the document's character encoding is UTF-8 or UTF-16LE .

 

Opera 11 and later support protocol relative URLs if they are declared using a <link> tag with a valid link type of "icon" or "apple-touch-icon". Opera Mobile 11 does not support protocol relative links. Opera Mini 7 and earlier do not attempt to resolve them, even if the page is served with the correct MIME type for a link relation of "alternate" or similar. In Opera 11.10, by default, only http:// and https:// protocols were resolved correctly; this was changed in Opera 11.50, and now protocol-relative URLs are resolved correctly for ftp:// as well.

 

In Chrome 2 and later, protocol relative URLs will load the page over HTTPS if the host part is an SSL site (i.e., starts with "https://"). In Chrome 4 and later, this changes: the exact same URL loaded over HTTP will be reused by all subsequent navigations to the same host regardless of its scheme (http/https). If you enter a URL like http://foo//bar , bar.html will be shown regardless of whether foo is http or https . Google Chrome also does not support prefix matching of protocol relative URLs used in anchor tags; thus <a href="//www . example . com"> will not load any page, and <a href="//example . com"> will only load if the host name matches example.com exactly.

 

In Safari 2 and later, protocol relative URLs in HTML (but not JavaScript) are resolved correctly and treated the same as absolute URLs (this is also true for Opera 11.1-11.10 when used with Safari). However, in both Safari 1 and earlier , anything beginning with // instead of http:// or https:// will be interpreted as a file URL protocol, regardless of the originating webpage's scheme. So for these browsers you must always use an explicit http:// or https:// before such URLs: <a href="http://www.example.com/">...</a> . Safari Mobile 1 does not support protocol relative URLs.

 

In Firefox 3.6 and earlier, if a page containing a protocol-relative URL is viewed over HTTPS, the browser will interpret the scheme as HTTPS even if it would normally have been interpreted as HTTP. As a result, it will not send an Origin header in the request, which causes same-origin checks to fail and allows for cross-site scripting attacks from third party sites. In Firefox 39 this bug was fixed.

 

In Internet Explorer 10 and later , by default, any protocol-relative link that begins with two slashes (e.g., //www . example . com/) or three slashes (e.g.,www . example . com/) is rewritten as protocol relative. In this case, two slashes are converted to // while three slashes are converted to /// . This behavior can be overridden by setting the X-UA-Compatible IE=edge meta tag or a Compatibility View (CV) List file.

 

In Internet Explorer 10 and later, the page loaded from the URL will have no security context information if it is opened in a new tab while running in Internet Security mode. If opened in a new tab while running in Internet Security mode, any URLs with a host name that do not resolve locally will fail to load. In addition, all protocols must be explicitly listed for each link using HTML5 syntax: <a href="//www . example . com/">...</a>

 

In Internet Explorer 11, if a page containing a protocol-relative URL is viewed over HTTPS, the browser will interpret the scheme as HTTPS even if it would normally have been interpreted as HTTP. As a result, it will not send an Origin header in the request, which causes same-origin checks to fail and allows for cross-site scripting attacks from third party sites. This behavior can be overridden by setting the X-UA-Compatible IE=edge meta tag or a Compatibility View (CV) List file.