HTTPS protocol check no longer needed

[Nettsentrisk]

Google now serves all Analytics scripts via SSL also at www.google-analytics.com, so the protocol check is no longer necessary.

[mathiasbynens]

This is nothing new; the URL https://www.google-analytics.com/ga.js has always been available. The reason we included the protocol check is because using //www.google-analytics.com/ga.js causes an SSL security warning in IE6 on HTTPS pages (something about the certificates not being configured for that subdomain).

Google recently (March 2012) experimented with configuring the certificates for the www subdomain as well to avoid the warning, but it ended up breaking a bunch of older mobile browsers. They may try this again when the market share of the older mobile browsers is lower.

TL;DR: The reason we still have the protocol check is because it doesn’t work reliably in IE6.

However, now that we’ve dropped support for oldIE in this project, we may want to remove the protocol check after all. Also:

If Firefox < 9 support is not an issue, [we] could just use document.scripts[0] instead of document.getElementsByTagName('script')[0].

[Nettsentrisk]

I've checked the test case you linked to, and it appears that the SSL security warning no longer pops up in IE6. If anyone can confirm that, Google may have fixed the certificate problems and then there should be no qualms about implementing this change.

[mathiasbynens]

I had noticed this back in March 2012 and emailed a friend who works on Google Analytics, to which he replied the current situation is temporary.

See my comment above:

Google recently experimented with configuring the certificates for the www subdomain as well to avoid the warning, but it ended up breaking a bunch of older mobile browsers. They may try this again when the market share of the older mobile browsers is lower.

[Nettsentrisk]

I understood this to mean that they tried this out in March 2012, then reverted it due to the incompatibility issue for older mobile browsers. A year later, they have either never reverted the certificate fix, or they have turned it back on again. So perhaps the mentioned "they may try this again" condition has already transpired?

In any case, it seems the time has come to do this, which will both improve the performance of the script and remove the necessity for an extra DNS lookup, reducing the loading time.

[necolas]

Link #1050

[nstepien]

How about this? It seems to work for me.

<script>var _gaq=[['_setAccount','UA-XXXXX-X'],['_trackPageview']];</script>
<script src="//google-analytics.com/ga.js" async="true"></script>

You could even remove var

[FagnerMartinsBrack]

TL;DR
I think implicit globals in this case has no warm indeed.

[tchalvak]

Just wanted to comment that in my experience, there are a lot of bad bots that mis-understand the // protocol-less urls, so this transition from the js-only setup to the static protocol-less url is likely to result in a high frequency of 404 logged hits to //google-analytics.com/ga.js on your hosting server. Just something to be aware of if this change hits.

[necolas]

Marked this to be included in v5 where IE 6/7 support is abandoned. But this PR includes unrelated commits.

[mathiasbynens]

It seems the new Universal Analytics snippet uses the //www.google-analytics.com/analytics.js URL consistently (no HTTP/HTTPS checks). A manual check of the SSL certificate CN and SANs confirms that it now includes the correct domains. This probably means it’s now safe to omit the protocol check in all cases. I’ve contacted Google for confirmation.

[paulirish]

@mathiasbynens did you hear confirmation on this one? I can ping our guy if not.

[mathiasbynens]

@paulirish Nope, never got a response. Email subject is “Re: Google Analytics, IE6, and SSL/HTTPS”, sent on March 27 2013, to Brian Kuhn and you in CC. Thanks for looking into it!