views:

191

answers:

4

For what reasons do sites provide logic to switch between http/https protocols for JavaScript include files? Why not always use https?

+5  A: 

HTTPS means :

  • You need a server configured properly
  • You need a certificate on your server
    • And, to not get a warning in the browser, you need a certificate signed by some trusted authority
    • And this costs a bit of money
  • A small bit of performance impact
    • The server has to crypt the data
    • The client has to de-crypt it
  • I would bet HTTPS means less caching
    • Maybe on the client side ?
    • And, most probably, on proxies ?

If you don't need HTTPS... Well, why use it ?

Pascal MARTIN
+1  A: 

There's less overhead if you just use http to serve the javascript include files. However, if you are running a site over https then you'll want to load everything over https, including the javascript include files.

ChronoPositron
A: 

JavaSript can always be viewed by the client so there's no point in retrieving it securely. Most sites that fetch it using a secure protocol do so because your page is not considered 'secure' unless all elements on the page are also from secure URLs.

animuson
A: 

Because you can get the page both with and without SSL.

If you mix secure and unsecure requests in a page, the user will get a warning, so when the page is requested using https, it will have to requests the scripts using https also. This is usually done automatically when you request scripts from the same site with a relative URL, but if you have to use a complete URL to request a script from a different domain, the protocol has to be set dynamically.

Guffa