> It appears that once secure URL is called (via https://...),
> every URL that is called from within that original secure URL
> automatically inherits encrypted (i.e. https://...) status if they
> are coded as:
> <a href="foo.html">foo</a> or <a href="/cgi-bin/foo.cgi">foo</a>.
Of course. This has nothing specifically to do with secure URLs, it's
a natural consequence of the rules for resolving relative URLs with
respect to the base URL of the document.
Quote:> Is there any way to force
Oh dear. The standard answer to all such questions is "force does not
work on the WWW". However, for once it's not that bad.
Quote:> the above URLs to always revert to
> a non-secure (i.e. http://...) connection short of calling a fully
> qualified "http://www.foo.xxx://foo.html"?
You can obviously specify a BASE tag in HTML.
But you might want to keep in mind that browsers tend to alert users
about leaving a secure site, which is understandable for security
reasons; so you could be causing them quite a lot of nuisance with
security alerts if you expect them to be entering and leaving the
secured server while browsing around.
As always, the use of a BASE tag can make page previewing inconvenient
(i.e prior to posting onto the actual server). If you work in that
way, you might want to leave the BASE out until you're ready to
actually publish the page to the server.
Quote:> Server version: Apache/1.3.11 (Unix)
OK, it's good to provide as much relevant detail as possible when
posting questions. But in this particular instance, it's a feature of
the protocols and of the behaviour of client browsers, so I don't
think your actual server makes any difference in this regard.