HTTPS-compatible ad code for AdSense

SEP 16, 2013
Author PhotoBy Sandor Sas, AdSense Software Engineer

Much of the signed-in web uses Hypertext Transfer Protocol Secure (HTTPS) to protect users’ sensitive information. For instance, most eCommerce and social networking websites use the HTTPS protocol to create secure sites that protect users sensitive information such as credit card and login credentials. We’ve updated the AdSense ad code so that it now supports secure ad serving through Secure Sockets Layer (SSL) on HTTPS web pages. This means that publishers with secure sites can now use AdSense ad code to serve SSL-compliant ads.

Our current ad code looks like this:

Synchronous ad code
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>


Asynchronous ad code
<script async src="http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js">
</script>


The new HTTPS-enabled ad code replaces the old and uses a protocol-relative URL to kick off the ad request:

Synchronous ad code
<script type="text/javascript" src="//pagead2.googlesyndication.com/pagead/show_ads.js">
</script>


Asynchronous ad code
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js">
</script>


Now when the user visits your secure website via HTTPS, AdSense serves the ad via HTTPS. A visit via HTTP will still serve the ad via HTTP, as before.

HTTPS-enabled sites require all resources on the page, including the ads, to be SSL compliant to protect the user against man-in-the-middle attacks. If an HTTPS page loads an HTTP resource, the page is considered mixed content, and the browser displays a mixed content warning (like the padlock with warning triangle in Chrome). New browser releases like Firefox 23 are starting to block mixed active content (scripts) but still display mixed content warnings for mixed passive content (images).

The mixed content warnings vary in aggressiveness among browsers. Here are some examples:

To make sure that all resources loaded by our ad calls on your secure page are SSL compliant, AdSense will remove non-SSL compliant ads from competing in the auction, which in theory means less auction pressure. This feature is meant to provide a monetization solution for publishers with existing HTTPS pages and not a reason for publishers to convert sites from HTTP to HTTPS. The HTTPS-compliant ads currently are text, image and Flash ads, but we are working on enabling more as we can make sure they are safe to use on secure pages.

Note that if you load your web page from the file system using the file:// protocol while developing, you won’t see the ads appear; instead, you’ll get a 404 response. In this case the asynchronous ad code - adsbygoogle.js - will put a placeholder the size of your ad slot on the page, while the synchronous ad code - show_ads.js - will not.

If you have an HTTPS-enabled website, we’d love to get your comments on our Google+ page.


Sandor Sas is a Software Engineer on the AdSense Formats team working on new, innovative ad formats. In his free time Sandor likes to play football (soccer) and he is an amateur clarinet player.

Posted by Scott Knaster, Editor