Boot Sequence

RSS

Avoiding Mixed-Content Warnings Like A Boss

You have a site where some pages need to be loaded over SSL, such as when a user is logged in (because, you know, session keys are just like passwords). At the same time you don’t want to load static resources over SSL when you don’t have to because it consumes significant CPU time. What’s a developer to do?

The solution is the protocol-relative URL. This URL has no “http” in the beginning and just starts with “//<domain>”. All modern browsers interpret this as “load this resource using the same protocol as the main page.” Thus, on pages loaded over SSL, these URLs load over SSL, but don’t when the page is not loaded over SSL. It’s the best of both worlds!

By Craig Younkins