Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Don't use protocol-relative URLs for external links
See original GitHub issueThis sounds confusing, so I’ll explain.
Assume someone posts a link like this: www.some.domain
Lounge’s URL parser will make that clickable, turning it into <a href="//www.some.domain" (note that no protocol is given).
Assuming you’re using The Lounge over HTTPS, the browser will open https://www.some.domain when you click. This is problematic because many websites still run http only, leading to The Lounge giving you dead links. Also, when someone links to a webpage without protocol, chances are they mean http and not https.
When you type www.some.tld into your browser’s URL bar, it will assume http (unless you use a plugin like HTTPS everywhere, which will fall back to http if https does not work), so I think The Lounge should do the same.
Consequently, I suggest that Lounge adds http:// to protocol-less URLs, instead of just adding //.
I am assuming that the most common cases are:
- Server is running http only (in which case nothing listens on 443)
- Server is running http and https (you get what you surf to)
- Server is running http and https (you’re being redirected to https when you access http)
In each of these cases it’s safe to always link to http (when no protocol is given in the URL), whereas in one case always linking to https will lead to a browser error message, leaving the user thinking they were just given a dead link.
Issue Analytics
- State:
- Created 7 years ago
- Comments:7 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
It’s pretty sad that we have to go for that direction and not the other (default to HTTPS). After all, using HTTP on all requests does have a security impact, as it leaks the request through the network! Plus there are still many websites that serve both without a redirect…
I guess using browser behavior (which may change someday soon) is the conservative choice then. Maybe when we do that we should add a note in the documentation, recommending to use something like HTTPS Everywhere to ensure maximum privacy.
@astorije Like it or not, but browsers default to using http as majority of the sites only work over http.
It’s up to the site maintainers to redirect to https properly, if they have it set up.