Consider forcing HTTPS (or adding an option) for Google Fonts

[philipwalton]

I've noticed that when I test on localhost I get http:// versions of Google Fonts. As far as I can tell, it's due to this default configuration:

webfontloader/src/modules/google/fontapiurlbuilder.js

Line 18 in da5faa9

webfont.modules.google.FontApiUrlBuilder.DEFAULT_API_URL = '//fonts.googleapis.com/css';

I'd be great if this could just be hard coded to HTTPS rather than protocol-relative. At minimum, It'd be nice to have the option to always use HTTPS regardless.

[monsterlane]

//link always resolves to your current protocol. If the site you're viewing isn't under SSL it will use http:// if you are it will use https://. If an option was added to force the protocol and it didn't match your current one you'd get a mixed content browser warning.

[philipwalton]

I understand that.

But there are many cases where you're on HTTP and you still want to load the HTTPS version. That doesn't give a mixed content warning, and is actually what folks still on HTTP should be doing.

[monsterlane]

If the main page isn't secured what's the purpose of securing includes? Genuinely curious.

[philipwalton]

We've had reports in the past of users making requests to http://www.google-analytics.com/analytics.js and getting results for a script that wasn't the officialanalytics.jsscript. I could never reproduce this myself, when those users switched to requestinghttps://www.google-analytics.com/analytics.js, they got the correct script. Presumably, since the request wasn't to HTTPS, somewhere in the network pipeline someone was modifying the response. Google has since updated analytics.js to force HTTPS, but other resources still requesting HTTP could experience the same issue.

A second reason is with service worker caching. When testing on localhost (which is technically HTTP even though Service Worker is whitelisted to run on localhost), you end up having to write logic to handle both HTTP and HTTPS, and add both files to the cache (since they're different origins) which is a pain. It's much move convenient to just always request HTTPS.

[thomasmattheussen]

"The protocol relative URL is now an anti-pattern. If the asset is available on HTTPS, always request it with that."

https://www.paulirish.com/2010/the-protocol-relative-url/

[ryansully]

Using HTTPS instead of protocol-relative URL also has considerable performance benefits:
https://jeremywagner.me/blog/stop-using-the-protocol-relative-url

[jlove73071]

Can we please address this. It's straight up silly as Google now redirects the http to https, causing a reload behind the scenes. It's totally pointless to load it using http anymore.