Tim Holloway wrote:But also the most likely to bite you.
Will have to disagree on this point. The
safest and best-practice approach is to use server-relative URLs, and dynamically obtain the context path. That way the code works regardless of where it is deployed, immune to changes in context paths external to the application, and adopting the protocol of the page (thus avoiding protocol mismatch errors).
The latter point is less important than it used to be with browsers enforcing the use of secure protocols.
(This all assumes a servlet/JSP environment -- best practices may be different for JSF, and are certainly different for modern JS/TypeScript apps.)