mixing http and https

Question

It's my understanding that if you have an https site you want all external files - js, css, images, etc - to be https as well, lest you get warnings about having some content that isn't secure or something.

Well I just tried that out and didn't get any warnings at all.

Where do I see these warnings? Also, assuming this is true... is the opposite true? Do you risk any warnings if you include https content on an http site?

FWIW I tried this:

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>

Google has people doing this by default:

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>

That'll make it so it's fetched from either http or https depending on what your website is using. Of course if https on http doesn't give any warnings it seems that doing https for all js files would work just as well..

Answer 1

Error messages will be displayed on the user/viewer's browser. [This site] (https://security.stackexchange.com/questions/1692/is-posting-from-http-to-https-a-bad-practice) has some explanation why there are error messages.

Assuming you are asking how google's code works, it is called a protocol-relative URL. The protocol of the linked file will inherit the protocol of the page including it. So if your page is https then it would send for it over https.

You can use

<script src="https://ajax.googleapis.com/ajax/jquery/1.8.3/jquery.min.js"></script>

Or remove the "https:" and have the js sent over https, provided your page is https.

Answer 2

Just to add another thing, if you load content through http on a https webpage, then you'll get warnings, but if you do the opposite, then there wont be any, but keep in mind that https is a slower than http. So use https only on https pages.