Loads page resources using protocol relative URIs

[TinFoilMan]

I am trying out Sitebulb and ran a website through the crawler and it is coming up with a hint that is a high priority.

The issue is showing as across the entire website.

Loading a resource using protocol relative URIs allow it to be requested over HTTP and opens the door for Man-on-the-side attacks.

If a resource is available over SSL, then always use the https:// URI.

It is bringing this up as the issue:
<link rel='dns-prefetch' href='//fonts.googleapis.com' />
<link rel='dns-prefetch' href='//s.w.org' />
<link rel='stylesheet' id='default_font-css' href='//fonts.googleapis.com/css
<a href="//www.dmca.com/Protection/Status.aspx

I have read the tips that sitebulb offers but still don't understand what I need to do to get rid of the errors.

Any help would be appreciated, and please keep in mind that technical stuff is not my strong point.

Thanks in advance

 

[CCarter]

If your site forces SSL, meaning a user gets redirected from the HTTP version to the HTTPS version when attempting to visit a non-SSL page you are fine. However if your visitors CAN still visit the non-SSL version of your site, you are not forcing SSL, you are vulnerable.

Force SSL and you are fine. Ignore the warning afterwards.

Are you forcing SSL?

 

[TinFoilMan]

Yes I am forcing SSL, all versions redirect to the https www version of the website

 

[Ryuzaki]

They want you to take the URLs that are like this //fonts.googleapis.com and change them to this https://fonts.googleapis.com.

Protocol Relative URLs do not include http:// or https://. It lets the user's browser choose which protocol (secure or insecure) to use for those links based on whether or not they are on the secure or insecure version of your site.

That's what CCarter is getting at. If all users are being redirected to the https:// version of your site, then the browser will take the protocol relative URLs and upgrade them to include https://. Since you're doing this, you're fine and there's nothing to worry about.

 

[TinFoilMan]

Sitebulb recommendations: https://sitebulb.com/hints/security/loads-page-resources-using-protocol-relative-uris/

CSS resource link using protocol relative URI:
<link href='//fonts.googleapis.com/css?family=Istok+Web' rel='stylesheet' type='text/css'>

Image resource src using protocol relative URI:
<img src="//example.com/img/logo.png">

How do you resolve this issue?

You need to only use https:// URLs when loading resources on your page. For each URL that loads protocol relative resources, update the resource references to point to the HTTPS counterparts, using absolute URIs.

In some cases, you may find that the resources in question are not available over HTTPS, in which case seek to do one of the following:

• Include the resource from a different host, if one is available.
• Download and host the content on your site directly, if you are legally allowed to do so.
• Exclude the resource from your site altogether.

Is there not an absolute url I can use for gonts.googleapis.com etc?

Cheers

 

[Samwise89]

Is there not an absolute url I can use for gonts.googleapis.com etc?

Yes. Put https:// in front of it. That's literally all there is to it. The browser is doing that, and you can do it too.