So We've been asking user's for their social media profile urls and display it on their profile (this way, their friends can see it when they visit the profile)
I've been using <input type="url" ... /> for frontend validation. Now, my client wants it so they can enter facebook.com/blabla or wwww.facebook.com/blabla without protocol on the field.
My gut feeling is telling me that it is somehow not ideal to ask to ask a "url" without a protocol - but I can't find anything to support this feeling.
I'm NOT asking on how to skip the validation or just add the protocol onsubmit (or anything related to code logic).
What I'm asking is, are there any "documents" / "rule" or maybe something that says that it is not a good practice to ask for urls without protocols and why?
In short, yes, there are reasons/rules to ask specifically for HTTPS or implement it on the back-end yourself.
In my personal experience, you can have security errors come up on the client side because the browser might detect it as being an evil twin link.
And https://www.paulirish.com/2010/the-protocol-relative-url/ says:
Now that SSL is encouraged for everyone and doesn’t have performance concerns, this technique is now an anti-pattern. If the asset you need is available on SSL, then always use the https:// asset.
If you fix it on the back end to add the url protocol yourself though this is all moot, that would be the best solution. I would use front-end validation for only checking if it is input a valid way, then check on the back-end again, and determine in what form they did it, ie. https://google.com, www.google.com, google.com, etc.
Good luck!