So the other day I was perusing through some of the RFCs, and came across RFC 1808. It’s called “Relative Uniform Resource Locators.” Of particular interest is section 2.4.3, “Parsing the Network Location/Login,” which says something like:
“Hey, remember the last time you were creating a web application that needed to run in both HTTP and HTTPS? Remember how you had to write logic to detect the current request’s scheme, because you had to generate URLs as https:// when you were secure? Remember that you never thought there was a problem until Jimmy in Marketing looked at your site in Internet Explorer 5.5, and he said to your boss, ‘It says, “Are you sure you want to display insecure items?”, what’s that mean?’
Yeah, you don’t have to do that anymore.”
The problem is essentially this:
When you’re creating a link on a page that may be viewed securely (https://site.com/page.html), you have to change the protocol of the link to match the scheme you’re using. If you don’t, people using Internet Explorer get a dialog box in their face every time they load the page.
The usual method for fixing this is to add logic to your application which finds out (using various methods) whether the page is being accessed securely (https://) or insecurely (http://), and generates an appropriate prefix. You then take this prefix and stuff it in front of every generated link.
RFC 1808 § 2.4.3 says basically, just leave off scheme: from your url, and the web browser will figure it out for you.
Instead of writing your links like this:
scheme = "https://"
scheme = "http://"
return scheme + url
All you have to do is this:
url = "//site.com/page.html"
Done. No code. One less special case for IE.