I'm building a distributed widget that is comparable to Google Analytics. Users will add a <script> tag to their site that references my widget's JavaScript file.
The Google Analytics tracking code looks like this:
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-XXXXXXXX-X']);
_gaq.push(['_trackPageview']);
(function () {
var ga = document.createElement('script');
ga.type = 'text/javascript';
ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(ga, s);
})();
Can anyone explain the reasoning behind separate HTTP and HTTPS hostnames? My instinct is to just secure the www address and then use the protocol-less syntax, like //www.google-analytics.com/ga.js. But I'm sure the Google Analytics architects put a lot of thought into this approach. I'd love to understand their logic before I follow/ignore their model.
It's a lot simpler than you're probably thinking. SSL traffic on the scale of Google required accelerator cards, which were quite expensive. Since non-SSL has always been the bulk of their traffic it didn't make sense to put accelerator cards in all of their servers. Putting the SSL traffic on it's own hostname simplifies splitting the traffic between the servers with accelerator cards and those that handle normal non-encrypted traffic.
Note: This drastically simplifies Google's setup, but you get the idea. Also, things have changed in the last few years as EEAA points out. So you could chalk this up to "historical reasons".