Did you know about protocol-relative hyperlinks? - Jon Galloway

Did you know about protocol-relative hyperlinks?

Summary:

  1. (For normal humans) IE and Firefox show perplexing messages on some pages due to a potential security vulnerability in the site you’re visiting. I’ll talk about what it means and how you can get it to go away.
  2. (For web developers) Don’t perplex your users with mixed content warnings. Use protocol-specific hyperlinks to deliver your page resources (images, CSS, Javascript) using the same protocol (HTTP/HTTPS) as the page.

Do you want to only read about this puzzling webpage prompt?

If you use IE8, you’ve probably puzzled over this dialog dozens of times:

Do you want to view only the webpage content that was delivered securely?

It’s kind of an odd question: “Do you want to view only the webpage content that was delivered securely?” Yes, of course! I mean, no. Well, what’s that “only” bit mean?

Fortunately, that dialog is explained in more detail in a post on Eric Law’s IE Internals blog. It’s a warning about a webpage which displays mixed content, meaning both HTTP and HTTPS. Eric explains the weird wording a bit, too: the old dialog said “This page contains both secure and non-secure items. Do you want to display the nonsecure items? That’s almost a variant of the classic dancing bunnies problem – I clicked on the page and it’s asking me if I want to see it. Of course I do. The new prompt kind of guides you towards only viewing the secure content.

In general, the warning is a good thing. Mixed content pages allow passing content between zones. That’s bad.

If added to the DOM, insecurely-delivered content can read or alter the rest of the page even if the bulk of the page was delivered over a secure connection.  These types of vulnerabilities are becoming increasingly dangerous as more users browse using untrusted networks (e.g. at coffee shops), and as attackers improve upon DNS-poisoning techniques and weaponize exploits against unsecure traffic.

Tampering with your HTTPS web page doesn’t just mean via Javascript. An insecure, tampered CSS file could do just about anything it wanted to with how the user views the page.

But this prompt is annoying!

It is annoying, yes. If it’s a site you use frequently, you’ve got some options.

  1. You can disable the prompt (Tools / Internet Options / Security / Custom / Misc / Display Mixed Content / Disable). This would generally be a bad idea since the mixed content warning is trying to help you.
  2. You can trust the non-secure domain (if you do trust it) and then only disable the mixed content prompt from the trusted zone. Remember that this is still a security risk, since HTTP content can be read and modified anywhere between your browser and the server.
  3. If it’s a site that’s under your control, you can fix it.

Fixing the real problem with protocol-relative hyperlinks

The real way to fix the problem is for web dev's to use protocol-relative hyperlinks, such as <img src="//www.google.com/intl/en_ALL/images/logo.gif" /> - that will use HTTPS if the page is HTTPS an HTTP if the page is HTTP, preventing both the security vulnerability and the security prompt. Rather than trying to fix the links in code, we’re relying on a specified and supported HTML feature (RFC 1808, Section 2.4.3, circa 1995)

As Eric points out, you can find out which content is causing the problem with an HTTP monitoring program like Fiddler.

Published Thursday, October 15, 2009 1:55 AM by Jon Galloway

Comments

# re: Did you know about protocol-relative hyperlinks?

I haven't seen protocol relative urls before! Thanks for the heads up.

Friday, October 16, 2009 3:32 AM by rtpHarry

# re: Did you know about protocol-relative hyperlinks?

This is one of my most recent "finds" which I discussed on a recent DotNetNuke Podcast - www.dotnetnukepodcast.com  We have run into this problem a number of times when building defaults for DotNetNuke and using protocol relative URLs neatly solves our problems.

Friday, October 16, 2009 9:27 AM by jbrinkman