@hint/hint-no-protocol-relative-urls
Advanced tools
hint that that checks if protocol relative URLs are used
no-protocol-relative-urls)no-protocol-relative-urls warns against using scheme-relative URLs
(commonly known as protocol-relative URLs).
A shorthand way of specifying URLs is to remove the protocol and let the browser determine the relative protocol based on the current connection to the resource.
As the web moves towards HTTPS everywhere, the use of protocol-relative URLs has become an anti-pattern, exposing some sites to man in the middle compromises and is therefore best avoided.
Particularly for web sites/apps served over HTTP, other drawbacks when using protocol relative URLs include:
Performance
If the web site/app is served over HTTP, for every protocol-relative URL that does support HTTPS and:
does a redirect to it (i.e. most CDNs), the load time will take
longer than if the request was made directly to the https://
version of the URL.
does not redirect to it, you may be missing out on things such as Brotli compression and HTTP/2 that are only supported by browsers over HTTPS.
Security
If protocol-relative URLs are used for CDN links, their domain is not in the browser’s HSTS preload list, and the first request is not made over HTTP, there is a high risk of man-in-the-middle attacks.
Of course, if the web site/app is served over HTTP it is already exposed to those types of attacks, but in general CDNs constitute a high-value target, and therefore, are much more likely to be attacked than most of the individual sites that use them.
The hint checks for protocol-relative URLs.
Note: Currently the hint does not check for protocol-relative URLs inside of stylesheets and scripts.
Let’s presume example1.com does not support HTTPS and example2.com
does.
<link rel="stylesheet" href="//example1.com/style.css">
<script src="//example2.com/script.js"></script>
<link rel="stylesheet" href="http://example1.com/style.css">
<script src="https://example2.com/script.js"></script>
This package is installed automatically by webhint:
npm install hint --save-dev
To use it, activate it via the .hintrc configuration file:
{
"connector": {...},
"formatters": [...],
"hints": {
"no-protocol-relative-urls": "error",
...
},
"parsers": [...],
...
}
Note: The recommended way of running webhint is as a devDependency of
your project.
FAQs
hint that that checks if protocol relative URLs are used
The npm package @hint/hint-no-protocol-relative-urls receives a total of 14,340 weekly downloads. As such, @hint/hint-no-protocol-relative-urls popularity was classified as popular.
We found that @hint/hint-no-protocol-relative-urls demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.