Protocol-relative URLs in email

BLOG

Protocol-relative URLs in email

May 23, 2017 by steve in Technical

When you link to an external resource – an image, a javascript file, some css style – from a web page you do so with a URL, usually something like “https://example.com/blahblah.css” or “http://example.com/blahblah.css”.

The world is beginning to go all https, all the time, but until recently good practice was to make a web page available via both http and https.

The problem is that if you try and load a resource from an http URL from a page that was loaded via https it’ll complain about it, and not load the resource.

And if your users web browser is loading the http version of your page because it’s Internet Explorer 6 and doesn’t speak modern SSL then it’ll be unable to load anything over https, including any of your resources.

So whether you choose https or http protocol for loading your page resources it’s going to break for someone.

One common trick to avoid the problem is to use a protocol-relative URL. That looks like “//example.com/blahblah.css”, and it’ll load the resource over the same protocol that the page was loaded over.

While we can safely use “https://…” everywhere now, “//…” URLs are still a common idiom for things like loading things like CSS libraries from public content-distribution networks as well as your own resources.

I was reading long-but-excellent writeup about Stack Overflow’s migration to TLS (hey, I read this sort of stuff for fun) and they point out something I hadn’t considered – mail clients don’t really have any sensible way to use protocol-relative URLs. The mail client loaded the “page” from a mailbox and so has no base document protocol to work from (even if there’s a <base> element in the content it’s not likely to affect a mail client). If the user is reading it via webmail or a mail client that’s using an embedded web browser to render HTML it might work, sometimes, but it’s not going to reliably load that resource in general.

So, if you’re copy-pasting content from your web collateral to reuse in an email, make sure you’re not loading anything external – including images – via a “//…” style URL. Rewrite them to use “https://…”.

1 comment

Brian says

At some point in this past, some version of Outlook would spin out of control (and crash) when emails containing images without a protocol were included. Found this when adding a re-marketing pixel from the vendor as href=”//blah.com/pixel.gif”

May 23, 2017, 5:29 pm

Comment: Cancel reply

Random thoughts on spammersARC: Authenticated Received Chain

Yahoo List-Unsub header
Last week some folks were mentioning a spike in unsubscribes from Yahoo. This is being investigated. No Comments
It's not a technical problem
You can't technical your way out of the bulk folder. I wrote that a year and a half ago, and it's even more true today. Filters at the big webmail providers continue to evolve to meet new threats and new spamming techniques. Sending technically perfect mail won't get your mail into the inbox. Recipients have to want the mail and interact with the mail for good delivery. No Comments
Edison acquires part of Return Path
Today Matt Blumberg announced that Edison Software acquired Return Path's Consumer Insight division, current customers and some Return Path staff. Congrats to everyone involved.1 Comment

Donnie G Rutherford on What does mitigation really mean?
Stefano Bagnara on What’s up with microsoft?
Brad on Is harvesting illegal under CAN SPAM
John Levine on List the world!
jeff on Is harvesting illegal under CAN SPAM

2018 (71)
2017 (180)
2016 (209)
2015 (205)
2014 (209)
2013 (208)
2012 (228)
2011 (232)
2010 (240)
2009 (247)
2008 (233)
2007 (56)

BLOG