Disallow protocol-relative URLs

Disallow protocol-relative URLs (no-protocol-relative-urls)

no-protocol-relative-urls warns against using scheme-relative URLs (commonly known as protocol-relative URLs).

Why is this important?

Nowadays the tendency of the web is to move to HTTPS, so the use of protocol-relative URLs has become an anti-pattern.

Particularly for web sites/apps served over HTTP, using protocol-relative URLs can have some drawbacks, which among other include:

  • Performance

  • Security

    Especially if protocol-relative URLs are used for CDN links, their domain is not in the browser’s HSTS preload list, and the first request is not made over HTTP, there is a high risk of man-in-the-middle attacks.

    Of course if the web site/app is served over HTTP it is already exposed to those types of attacks, but in general CDNs constitute a high-value target, and therefore, are much more likely to be attacked than most of the individual sites that use them.

What does the rule check?

The rule checks for protocol-relative URLs.

Note: Currently the rule does not check for protocol-relative URLs inside of stylesheets and scripts.

Let’s presume example1.com does not support HTTPS and example2.com does.

Examples that trigger the rule

<link rel="stylesheet" href="//example1.com/style.css">
<script src="//example2.com/script.js"></script>

Examples that pass the rule

<link rel="stylesheet" href="http://example1.com/style.css">
<script src="https://example2.com/script.js"></script>

Further Reading